Blog
Back to articles
Threat/Vulnerability News

"n8n" is the new "admin."

Vlad Iliushin Portrait
Vlad Iliushin
|2 min read

On February 10, 2026, our deception network recorded "n8n" overtaking "admin" as the #2 most brute-forced SSH username. The campaign scaled from a handful of probing IPs to hundreds of unique sources in under a week, with attackers rapidly iterating through password variants.

Line chart showing SSH brute force attack trends from Jan 12 - Feb 11, 2026, tracking unique attacking IPs per credential for usernames "root" (blue), "admin" (yellow), and "n8n" (red). Shows "n8n" surpassing "admin" as second most targeted.

For years, the two most brute-forced SSH usernames have been the same: root and admin.
Boring, I know.

That changed yesterday, on February 10. Our deception network recorded n8n overtaking admin as the #2 most targeted SSH username on the internet. A workflow automation tool now gets more brute-force attention than one of the most generic default credentials in computing history.

And it happened in 11 days flat.

Here is the timeline:

  • Beginning of February - n8n username appears. A handful of IPs, targeted passwords from wordlists like n8n@123 and n8n123!.
  • Feb 7 - Botnet kicks in. Automated tools try n8n:n8n.
  • Feb 9 - Operators iterate. n8n:123456 replaces n8n:n8n as the top credential.
  • Feb 10 - Full scale. Hundreds of unique IPs scanning for n8n. admin drops to #3.


The username/password evolution tells the real story. Attackers started with product-specific guesses, pivoted to the obvious default, then settled on the thing that works. A botnet operator testing,
learning, and optimizing their wordlist in near real time.

Why n8n? Self-hosted workflow automation has exploded. If you follow the n8n setup guide, it does not specify which system username to use - but it is not a long stretch to use "n8n" for an
n8n service. Just like we did for 20 services before, and like we will do for 20 services after. Attackers watch adoption curves just as closely as VCs do - and the moment a platform gains
traction, it gets added to the wordlist.

Will it stay at #2?

Spoiler alert - it won't.

These campaigns come in waves. But the signal matters more than the ranking: attackers are actively tracking which self-hosted platforms are gaining adoption and updating their wordlists accordingly.

And here is the part that should make you think twice. Most n8n instances are not just running simple automations anymore. They are wired into OpenAI, Anthropic, cloud APIs - loaded with tokens and credentials for AI models. A compromised n8n instance is not just a foothold into a network. It is a ready-made automation platform with API keys to burn.

How long until someone builds the first AI SDR botnet off the back of stolen n8n workflows? Your compromised automation pipeline, their outbound campaign at scale.

Stacked bar chart showing SSH credential attack evolution from Feb 2-11, 2026, with passwords attempted for username "n8n". Peak activity on Feb 10 using passwords like "123456", "n8n", and "123".

Advisory If you are self-hosting n8n:

  • Disable SSH password authentication. Keys only.
  • Never expose SSH directly to the internet.
  • Deploy behind a reverse proxy with proper access controls.
  • Idk, throw ELLIO dynamic blocking to ease your access logs from all RECON and mass exploitation.


The scanning infrastructure spans DigitalOcean, OVH, UCloud HK, Microsoft Azure, and Indonesian cloud providers. The usual VPS-based botnet footprint.

admin had a good run. It will be back. But for one day, n8n took the crown.

Share this article

Written by

Vlad Iliushin Portrait
Vlad Iliushin

Vlad is the co-founder of ELLIO, a research lab turning mass exploitation and network reconnaissance data into actionable threat intelligence and real-world defense techniques. A lifelong cybersecurity enthusiast, he's especially passionate about network security, IoT, and cyber deception.

Before starting ELLIO, Vlad founded and led the Avast IoT Lab (now part of Gen Digital), where he worked on security tools and explored new IoT threats.

He has spoken at many community events like BSides and HackTheBay, as well as large conferences like Web Summit and SXSW where he showed how smart homes and connected devices can be vulnerable, even to non-cybersec audiences.

Back to articles

Related Articles

Hero image
Network Fingerprints
Technical Articles__17 min

IP Blocking vs TCP Fingerprint Blocking: How to Use and Combine Them

Learn how combining Threat Intelligence-based IP blocking and TCP fingerprinting enhances network security by disrupting attacker reconnaissance.

Vlad Iliushin Portrait
ELLIO Icon
Vlad Iliushin, ELLIO Team
Hero image
Product Updates__3 min

MITRE ATT&CK® framework now integrated into ELLIO Threat Platform

Transform your threat investigations with the ELLIO Threat Intelligence Platform. Now with MITRE ATT&CK threat mapping and advanced fingerprint analysis.

ELLIO Icon
ELLIO Team
Hero image
CVE
Threat/Vulnerability News__4 min

From Scan to Exploit: Inside the Latest Cisco ASA/FTD Campaign

From reconnaissance to exploitation in just 48 hours. See how 75 IPs executed surgical, one-hit attacks on Cisco ASA/FTD devices - and how to disappear from target lists.

ELLIO Icon
ELLIO Team