The n8n n8mare: How threat actors are misusing AI workflow automation
Essential information
- Published
- 15/04/2026 17:08
- Modified
- 15/04/2026 17:28
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- datto rmm lucidrook n8n phishing campaign webhook abuse
- Tags
- 2026-04-15 datto rmm lucidrook n8n phishing campaign webhook abuse
- Related entities
- 11 indicators, 11 observables, 1 intrusion sets (apt), 17 techniques (mitre), 3 malware, 8 others
Description
Investigation reveals widespread abuse of n8n, an AI workflow automation platform, in sophisticated phishing campaigns from October 2025 through March 2026. Attackers exploit the platform's webhook functionality to deliver malware and fingerprint devices while bypassing security filters through trusted infrastructure. Email volume containing n8n webhook URLs increased by 686% between January 2025 and March 2026. Observed campaigns utilize CAPTCHA-protected pages to deliver remote access tools including modified Datto RMM and ITarian Endpoint Management software. The webhooks mask malicious payload sources behind legitimate n8n domains. Additional abuse cases involve tracking pixels embedded in emails for device fingerprinting. These attacks demonstrate how legitimate productivity and automation platforms can be weaponized, requiring behavioral detection approaches rather than simple domain blocking to protect organizational workflows.