Cisco Talos researchers Sean Gallagher and Omid Mirzaei have documented a sustained campaign in which threat actors have quietly provisioned n8n cloud accounts to weaponize webhook endpoints on the *.app.n8n.cloud domain since at least October 2025. What began as an obscure technical observation has crystallized into one of the more elegant living-off-the-land operations of the past year. By embedding webhook URLs in phishing emails disguised as shared documents, attackers serve HTML pages containing JavaScript that, after a CAPTCHA stage, force the victim's browser to pull down modified RMM installers (Datto and ITarian variants) that phone home to attacker-controlled infrastructure. A parallel track uses invisible tracking pixels to fingerprint targets at scale, feeding victim emails and metadata directly into automated follow-on campaigns.

The Hacker News coverage, while accurate on mechanics, underplays the strategic context and misses several critical dimensions. First, the 686% surge in n8n-linked emails between January and March 2026 is not an isolated spike; it tracks closely with the post-2024 explosion in adoption of agentic automation platforms. n8n, alongside tools like Zapier, Make, and Tray.io, has become default infrastructure for thousands of mid-market DevOps and SecOps teams seeking to connect disparate APIs without writing custom glue code. Attackers recognized this shift earlier than defenders. Provisioning a free n8n cloud tenant gives adversaries a subdomain that inherits the reputation of a legitimate SaaS provider, complete with valid TLS certificates and history of benign automation traffic.

This tactic synthesizes patterns seen in two related reports. Mandiant's 2025 "Living Off the Land" annual assessment documented increased abuse of legitimate remote-access and automation services, noting that 38% of initial access broker activity involved compromised or attacker-created accounts on SaaS platforms rather than traditional malware. Similarly, a 2024 Palo Alto Networks Unit 42 analysis of "reverse API" abuse (webhooks, OAuth callbacks, and ngrok tunnels) warned that any publicly reachable endpoint capable of returning attacker-controlled JavaScript would eventually be leveraged for drive-by delivery. The n8n campaign is the logical convergence of both trends: the platform's own documentation literally describes webhooks as "reverse APIs" that return HTTP streams, exactly the behavior Talos observed being abused.

What mainstream coverage has largely missed is the DevOps-specific targeting. n8n's user base skews toward infrastructure engineers, SREs, and AI-augmented workflow builders; these are precisely the personnel with high-privilege access to CI/CD pipelines, cloud consoles, and internal secrets managers. By fingerprinting via tracking pixels that exfiltrate email addresses and User-Agent strings through the n8n workflow itself, operators can prioritize high-value targets for secondary spear-phishing or sell the validated leads on initial-access markets. The use of CAPTCHA before payload delivery further suggests A/B testing of evasion techniques against email gateways and browser sandboxes.

The campaign also reveals an under-appreciated trust boundary failure. Cloud-hosted n8n instances create subdomains that security teams rarely monitor or segment. Corporate proxies and CASB solutions are typically tuned for Slack, GitHub, or AWS, not niche automation domains. Once a victim executes the RMM binary, the attackers achieve persistence through legitimate remote-monitoring channels that EDR tools often whitelist. This mirrors the 2023-2024 wave of compromised ConnectWise ScreenConnect instances but at greater scale and with lower operational cost to the adversary.

Longer-term implications extend beyond phishing. n8n workflows can chain multiple actions: pulling sensitive data from connected SaaS apps, conditional exfiltration, or even triggering outbound webhooks into internal enterprise systems if users have connected production credentials. The same flexibility marketed to developers becomes an attacker's force multiplier. Absent explicit webhook allow-listing, rate-limit monitoring, and domain-based egress controls, any organization using n8n cloud is inadvertently providing free infrastructure to threat actors.

The operation's six-month undetected run exposes a persistent analytic gap. Most threat intelligence feeds still prioritize novel malware families over novel abuse of legitimate platforms. Until defenders reframe their detection engineering around "expected versus anomalous behavior" for every SaaS subdomain their users touch, campaigns like this will remain invisible until the volume becomes impossible to ignore. The quiet hijacking of n8n is less a vulnerability in one product than a predictable consequence of the unchecked proliferation of cloud automation tools without commensurate security instrumentation.