Zapier Exploit Chain Grants Unauthorized NPM Access

Zapier Exploit Chain Grants Unauthorized NPM Access

First seen 28 May 2026, 15:18 UTC CyberscoopFeeds2.Feedburnerwww.token.securityCybersecuritynewsGbhackers+2 81% similarity 57.6

Article Content

Browse articles
ThreatCluster

Researchers at Token Security disclosed a five-stage exploit chain that allowed a free Zapier account to gain write access to both public and internal NPM packages. Each stage of the chain exploited known anti-patterns, culminating in a significant security vulnerability. The attack vector involved a sandbox escape within Zapier's Code by Zapier feature, which executes user-supplied Python and JavaScript in AWS Lambda containers. The vulnerability was reported on February 12, 2026, and was triaged by Zapier within four days, leading to the revocation of a leaked NPM token and tightening of AWS roles. The incident highlights the risks associated with supply chain vulnerabilities in widely used developer tools. No specific CVEs were disclosed in the articles. The current status indicates that the vulnerability has been addressed by Zapier.

Key Points: • A five-stage exploit chain allowed unauthorized access to Zapier's NPM packages. • The vulnerability was based on known anti-patterns and involved a sandbox escape. • Zapier responded quickly, revoking a leaked NPM token and tightening security measures.

ThreatCluster AI

Timeline

2026-02-12
Exploit chain reported to Zapier
Token Security disclosed a five-stage exploit chain that compromised Zapier's NPM packages.
Feeds2.Feedburner
2026-02-16
Zapier triages the report
Zapier acknowledged the report within four days and began remediation efforts.
Feeds2.Feedburner
2026-05-28
Public disclosure of exploit chain
Token Security published details of the exploit chain and its implications for Zapier's security.
Token Security

Community

Browse all →