AI workflow platform n8n abused for phishing and device fingerprinting

In a report by The Hacker News, threat actors are weaponizing the popular AI workflow automation platform n8n to conduct sophisticated phishing campaigns and deliver malicious payloads. Researchers have observed attackers exploiting the platform's trusted infrastructure to bypass security filters, transforming productivity tools into conduits for remote access.

Attackers are leveraging n8n's webhook functionality, which exposes unique URLs on the *.app.n8n.cloud subdomain, to initiate workflows when triggered by incoming data. These webhooks, originally designed for integrating applications, are now being embedded in phishing emails. In one observed campaign, a link disguised as a shared document led users to a page that, after completing a CAPTCHA, initiated a malicious payload download. The download appeared to originate from the n8n domain, masking the true source. The ultimate goal is to deploy RMM tools like Datto and ITarian Endpoint Management for establishing persistence.

Another prevalent abuse involves using n8n webhooks as invisible tracking pixels to fingerprint devices by collecting data such as email addresses when emails are opened. The increasing weaponization of legitimate platforms like n8n highlights a growing trend of attackers exploiting trusted infrastructure to evade detection.

Source: The Hacker News