CP
cyberpings

n8n Webhooks Abused - Malware Delivered via Phishing Emails

Threat actors are using n8n webhooks to deliver malware through phishing emails. This tactic has increased significantly, posing serious risks to users. Security teams must act to mitigate these threats.

Malware & RansomwareHIGHUpdated: Published:
Featured image for n8n Webhooks Abused - Malware Delivered via Phishing Emails

Original Reporting

THThe Hacker News

AI Summary

CyberPings AI·Reviewed by Rohit Rana

🎯Basically, hackers are using a tool called n8n to send fake emails that install malware on your device.

What Happened

Since October 2025, threat actors have been exploiting n8n, a popular AI workflow automation platform, to conduct sophisticated phishing campaigns. By leveraging n8n's infrastructure, attackers can bypass traditional security measures, turning trusted productivity tools into vehicles for malware delivery.

How It Works

N8n allows users to connect various web applications and automate tasks using webhooks. These webhooks can receive data from apps and trigger workflows. Unfortunately, attackers have taken advantage of this feature by embedding malicious links in emails that appear legitimate. When users click these links, they may unknowingly download malware or expose their devices to threats.

Who's Being Targeted

The phishing emails often masquerade as shared documents or legitimate communications, making them appealing to unsuspecting users. The volume of such emails surged by 686% from January 2025 to March 2026, indicating a growing trend in this type of attack.

Signs of Infection

Users may notice unusual behaviors on their devices, such as unexpected downloads or changes in system performance. Additionally, if a user receives emails containing n8n webhook links, it’s crucial to verify their legitimacy before clicking.

How to Protect Yourself

To safeguard against these threats, consider the following measures:

Detection

  • 1.Verify Email Sources: Always check the sender's email address and look for inconsistencies.
  • 2.Use Security Software: Employ robust antivirus and anti-malware solutions to detect and block threats.

Removal

  • 3.Educate Yourself: Stay informed about phishing tactics and how to recognize suspicious emails.
  • 4.Enable Two-Factor Authentication: This adds an extra layer of security to your accounts, making unauthorized access more difficult.

Conclusion

The exploitation of n8n webhooks for malware delivery underscores the need for heightened vigilance in cybersecurity practices. As automation tools become more integrated into workflows, security teams must ensure these platforms remain secure and do not become liabilities in the fight against cybercrime.

🔒 Pro Insight

🔒 Pro insight: The rise in n8n webhook abuse highlights the evolving tactics of threat actors leveraging trusted platforms for malicious intent.

THThe Hacker News
Read Original

Share

Related Pings

Preview image for Autovista Ransomware Attack Causes Major Service Disruption
Malware & Ransomware
HIGH

Autovista Ransomware Attack Causes Major Service Disruption

Autovista is facing a ransomware attack that's disrupting services in Europe and Australia. Customers are advised to monitor updates and take precautions. The company is working to resolve the issue and restore applications.

REThe Register Security
Read PingRead Source
Preview image for Adware - Hackers Could Control 25,000 Endpoints Worldwide
Malware & Ransomware Widely Reported (3 sources)
HIGH

Adware - Hackers Could Control 25,000 Endpoints Worldwide

A new adware threat linked to Dragon Boss Solutions could control over 25,000 endpoints worldwide, disabling antivirus protections and posing significant risks to sensitive networks.

SWSecurityWeek+2 more
Read PingRead Source
Preview image for NWHStealer - Infostealer Spreads via Fake VPN Sites
Malware & Ransomware
HIGH

NWHStealer - Infostealer Spreads via Fake VPN Sites

A new infostealer named NWHStealer is spreading through fake VPN sites and gaming mods. It's designed to steal passwords and cryptocurrency wallet information. Users must be cautious when downloading software to avoid falling victim.

MWMalwarebytes Labs
Read PingRead Source
Malware & Ransomware
HIGH

Brickstorm Malware - Joint Analysis Report Released

A new report reveals that PRC state-sponsored hackers are using Brickstorm malware for persistent access in government and IT systems. Organizations are urged to act on the provided IoCs.

CCCanadian Cyber Centre News
Read PingRead Source
Preview image for Microsoft Enhances Windows Protections Against RDP Threats
Malware & Ransomware
HIGH

Microsoft Enhances Windows Protections Against RDP Threats

Microsoft has enhanced Windows security to combat phishing threats targeting Remote Desktop files, introducing new warnings and disabling risky options by default.

BCBleepingComputer+1 more
Read PingRead Source
Preview image for JanaWare Ransomware - Targeting Turkish Citizens Revealed
Malware & Ransomware Widely Reported (3 sources)
HIGH

JanaWare Ransomware - Targeting Turkish Citizens Revealed

JanaWare ransomware has been actively targeting Turkish citizens since 2020, employing sophisticated tactics and low ransom demands to maximize profits.

TRThe Record+2 more
Read PingRead Source