Zapier exploit chain shows how known anti-patterns compose into critical risk
Token Security researchers disclosed a five-stage exploit chain against Zapier that turned a free account into write access on SDK packages and internal code loaded in every authenticated session.
A five-stage exploit chain disclosed by Token Security researchers turned a free Zapier account into write access on Zapier’s public developer SDK packages and on internal packages that load in every authenticated zapier.com session. Each link in the chain was a known security anti-pattern. The composition across five systems was the finding that made the attack consequential.
Zapier triaged the report within four days of submission on February 12, 2026, revoked the leaked NPM token, and tightened the underlying AWS role by February 16. Remediation was confirmed on March 5. The researchers received the program maximum bounty of $3,000, with Zapier committing to review the cap at its next program review.
The chain began inside Code by Zapier, a feature that lets users run Python or JavaScript inside the platform. The runtime executes inside AWS Lambda containers in us-east-1. A call to `os.system('env')` returned the Lambda environment. The Lambda handler scrubs AWS credentials from the environment before passing user code to `exec()`, using `del os.environk`. That call removes the Python dictionary reference and invokes `unsetenv` in libc, but it does not zero the bytes on the process heap. The researchers read `/proc/self/mem`, ran four regex patterns against readable memory regions, and recovered live STS session tokens for the role assigned to the Lambda.
The role was named `allow_nothing_role`. Enumeration showed it permitted `ecr:DescribeRepositories`, `ecr:ListImages`, `ecr:BatchGetImage`, and `ecr:GetDownloadUrlForLayer`. Those four permissions are sufficient to pull container images through the AWS API without ever requesting a Docker registry auth token. The researchers enumerated 1,111 production repositories and pulled images using the layer-fetch APIs. In one image, an NPM publish token had leaked into the container config history. The token had been passed to the build through a Dockerfile ARG, which serializes into the image’s `history[]` field. NPM API metadata showed the token had `action: write`, `name: null`, and `bypass_2fa: true`. The combination granted publish rights to every package the associated account could publish, including `zapier-platform-core`, `zapier-platform-cli`, and `zapier-design-system`.
The `zapier-design-system` package loads in every authenticated session on zapier.com. The researchers verified the load path in browser developer tools and stopped there. A poisoned version of the package would have executed attacker-controlled JavaScript inside the authenticated origin on the next release. An attacker with that access could act as the user inside Zapier, creating Zaps, Tables, and MCP servers and driving the user’s existing integrations through the platform. OAuth tokens and API keys for connected services remain server-side and would not have been exposed to the browser.
Yair Balilti, Security Research Team Leader at Token Security, told Help Net Security the composition is what made the chain work. "Every link in the chain was a known pattern. The vulnerability was the composition, and composition is exactly what falls between teams. The Lambda sandbox, ECR and IAM, the GitLab CI token, NPM publishing, the browser, each is owned by a different group, and each can look at its own piece and reasonably conclude it’s fine. The risk only appears when you trace a path across all of them."
The NPM token recovered by the researchers was first issued in November 2025 and revoked on February 16, 2026. Zapier has reported no evidence of exploitation in the wild, and the researchers report none of their own. Their access was limited to what `allow_nothing_role` permitted, which covered enumeration and reads against ECR. They did not access Zapier’s audit logs. Balilti said the question of whether the role or token was used by anyone else during that window can only be answered by Zapier’s own forensic review. Zapier has confirmed no evidence of exploitation of this chain in the wild beyond the research itself. The chain did not access customer data, customer credentials, or customer workflows, and was fully remediated under coordinated disclosure. No customer-side action is required.
CyberScoop obtained additional reporting on the Token Security disclosure, including a separate finding where researchers recovered a working API key belonging to the chief technology officer of an AI company that uses Zapier internally, allowing them to send email from the executive's Gmail account. The article notes that Zapier paid the program's maximum $3,000 bounty and that Token Security stressed the same chain-of-mistakes pattern likely exists at other automation platforms. Researchers recommended that organizations with heightened sensitivity review their automation logs and consider reauthorizing Zapier connections to sensitive systems.
Token Security's full disclosure reveals that the attack chain, dubbed Zapocalypse, begins with OS-level command execution inside Code by Zapier (AWS Lambda), recovers orphaned AWS STS credentials from process memory via /proc/self/mem, then leverages a misconfigured IAM role to enumerate ECR and pull container images. A leaked NPM publish token with bypass_2fa found in container metadata granted access to the private 'zapier-design-system' package, enabling attacker-controlled JavaScript in authenticated sessions and full account takeover. A separate hardcoded Zapier Actions MCP key was also exposed in a LiteLLM container. Zapier revoked the token and tightened the ECR role within days of the February 12, 2026 report, and paid the maximum $3,000 bounty.