Threat Actors Weaponize n8n for Phishing and Malware Delivery

Threat actors have weaponized n8n, a popular AI workflow automation platform, to conduct phishing campaigns and deliver malicious payloads or fingerprint devices via automated emails. The abuse of n8n’s webhooks has been observed since October 2025, allowing attackers to bypass traditional security filters by leveraging trusted infrastructure. The campaigns exploit the platform’s legitimate functionality to distribute malware, though no specific malware families or CVE IDs were mentioned. The primary impact involves the misuse of productivity tools to evade detection and enhance the effectiveness of phishing attacks. No geographic targeting or victim demographics were specified in the reported findings.