Threat actors are abusing n8nās managed cloud-hosted workflows and exposed webhook URLs on the *.app.n8n.cloud domain to run phishing campaigns that deliver malicious payloads and fingerprint devices. Cisco Talos warns these campaigns use n8n-hosted pages and CAPTCHA triggers to fetch modified RMM installers (including Datto and ITarian) for persistent remote access, with webhook-related phishing volume spiking sharply. #n8n #Datto
Keypoints
- Attackers weaponize n8n managed cloud subdomains and webhook URLs to host phishing content.
- Exposed webhooks return HTML/JavaScript that makes browsers fetch payloads appearing to come from n8n domains.
- Campaigns deliver executables or MSI installers that deploy modified RMM tools like Datto and ITarian to establish persistence and C2 connections.
- Invisible images or tracking pixels on n8n webhook URLs are used to fingerprint recipients and confirm email opens.
- Cisco Talos urges security teams to harden low-code automation platforms and monitor webhook usage to prevent abuse.
Read More: https://thehackernews.com/2026/04/n8n-webhooks-abused-since-october-2025.html