Phishers abuse n8n webhooks to deliver malware in rising attacks
Attackers have abused n8n workflow automation webhooks to deliver malware since October 2025. They used custom subdomains on app.n8n.cloud to bypass email security filters. The volume of malicious emails reached 686 percent higher in March 2026 than in January 2025. A maximum severity remote code execution vulnerability known as Ni8mare was disclosed in January 2026 and left around 60,000 instances exposed. CISA added another n8n remote code execution issue to its known exploited vulnerabilities catalog in March 2026.
Bootstrapped founders have leaned on n8n to automate marketing sequences, legal document handling, and operational workflows. This allowed them to punch above their weight without expanding their team or learning complex new systems. The ongoing abuse demonstrates that these automation platforms can become vectors for malware delivery. A compromise here does not just slow down operations. It can damage the trust in automated customer interactions that solo operators depend on for sales.
Analysis
Founders who built their operations around n8n now face a direct threat to their automated systems. Treat public webhooks as a liability rather than a feature. Replace them immediately with custom workflows you generate and host yourself using Cloudflare and AI coding tools.
Citation
This executive briefing was curated and analyzed by Collab365. To reference this analysis, please attribute: "This briefing is available on Collab365 Spaces (spaces.collab365.com)".