Trusted Business Software Becomes a Stealthy Weapon for Cybercriminals

A major warning has been issued to businesses and remote workers everywhere: a popular automation tool is being turned against its users. Security experts at Cisco Talos have discovered that hackers are exploiting “n8n,” a well-known platform used by companies to connect different apps and automate boring office tasks. Because n8n is a legitimate, trusted service, hackers are using its reputation to sneak past security filters that would normally block suspicious emails. By hiding their attacks inside a tool that looks professional, these digital thieves are finding a “secret door” into private computers.

The problem centers on a feature called a “webhook.” In the tech world, a webhook is like a digital ear that waits for information from another app. However, hackers have found a way to turn these ears into mouths that speak directly to your browser. Since October 2025, scammers have been setting up free accounts on the n8n cloud. This gives them a professional-looking web address that ends in “.n8n.cloud.” When they send you a link from this domain, your computer thinks it is safe because it comes from a famous software company, not a random, shady website.

How the “Shared Document” Trick Steals Control of Your PC

The most dangerous part of this scam is how realistic it feels. Researchers have seen a massive surge in phishing emails—an increase of nearly 700% recently—where the message looks like a colleague is sharing a document with you. When you click the link, you aren’t taken to a virus site immediately. Instead, you see a standard CAPTCHA test—the kind where you have to click boxes to prove you aren’t a robot. This simple step makes the whole process feel legitimate and lulls the victim into a false sense of security.

Once you pass the test, the n8n workflow triggers a hidden script. This script forces your computer to download a malicious file from a different server, but it does it in a way that makes your browser think the file is coming directly from n8n. This “masking” technique is incredibly effective at bypassing modern antivirus software. Once the file is opened, it installs modified versions of professional remote-management tools. While these tools are usually used by IT departments to help employees, the hackers use them to lock themselves into your system, giving them permanent access to your files, passwords, and even your webcam.

Invisible Spies are Watching Your Every Click

It isn’t just about stealing files; sometimes, the hackers just want to know who you are and where you live. A second version of this attack uses “fingerprinting.” The hackers embed an invisible image, often called a tracking pixel, inside an email. This tiny dot is hosted on an n8n webhook. The moment you open the email—without even clicking a single link—your email app automatically reaches out to the n8n server to “see” the image.

When this happens, the n8n workflow instantly records your IP address, what kind of phone or computer you are using, and your exact email address. This allows the attackers to build a profile on you, making their future attacks much more personal and harder to spot. It’s a silent form of spying that happens in the background of your daily life. Security teams are now urging everyone to be extremely careful with links involving automation platforms. The very tools designed to save us time and effort are now being used to automate the theft of our digital lives, and until better safeguards are in place, the responsibility falls on the user to stay alert.