The n8n n8mare: How threat actors are misusing AI workflow automation

Cisco Talos analyzed a rise in phishing campaigns that abuse AI workflow automation platforms (notably n8n) by embedding webhook URLs in emails to serve dynamic, trusted-looking pages that deploy malware or fingerprint recipients; examples include CAPTCHA-protected pages delivering executables and MSI installers that install modified Datto and ITarian RMM tools as backdoors, and tracking-pixel-style webhook URLs used for device fingerprinting, with multiple IOCs and mitigation recommendations provided.