Cyberscoop
Zapier Exploit Chain Grants Unauthorized NPM Access
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
Researchers at Token Security disclosed a five-stage exploit chain that allowed a free Zapier account to gain write access to both public and internal NPM packages. Each stage of the chain exploited known anti-patterns, culminating in a significant security vulnerability. The attack vector involved a sandbox escape within Zapier's Code by Zapier feature, which executes user-supplied Python and JavaScript in AWS Lambda containers. The vulnerability was reported on February 12, 2026, and was triaged by Zapier within four days, leading to the revocation of a leaked NPM token and tightening of AWS roles. The incident highlights the risks associated with supply chain vulnerabilities in widely used developer tools. No specific CVEs were disclosed in the articles. The current status indicates that the vulnerability has been addressed by Zapier.
Key Points: • A five-stage exploit chain allowed unauthorized access to Zapier's NPM packages. • The vulnerability was based on known anti-patterns and involved a sandbox escape. • Zapier responded quickly, revoking a leaked NPM token and tightening security measures.