Zapier exploit chain shows how known anti-patterns compose into critical risk

A five-stage exploit chain disclosed by Token Security researchers turned a free Zapier account into write access on Zapier’s public developer SDK packages and on internal packages that load in every authenticated zapier.com session. Each link in the chain was a known anti-pattern. The composition across five systems was the finding.

Zapier triaged the report within four days of submission on February 12, 2026, revoked the leaked NPM token, and tightened the underlying AWS role by February 16. Remediation was confirmed on March 5. The researchers received the program maximum bounty of $3,000, with Zapier committing to review the cap at its next program review.

A path through five systems

The chain began inside Code by Zapier, a feature that lets users run Python or JavaScript inside the platform. The runtime executes inside AWS Lambda containers in us-east-1. A call to os.system('env') returned the Lambda environment.

The Lambda handler scrubs AWS credentials from the environment before passing user code to exec(). The scrubbing uses del os.environ[k]. That call removes the Python dictionary reference and invokes unsetenv in libc. It does not zero the bytes on the process heap. The researchers read /proc/self/mem, ran four regex patterns against readable memory regions, and recovered live STS session tokens for the role assigned to the Lambda.

The role was named allow_nothing_role. Enumeration showed it permitted ecr:DescribeRepositories, ecr:ListImages, ecr:BatchGetImage, and ecr:GetDownloadUrlForLayer. Those four permissions are sufficient to pull container images through the AWS API without ever requesting a Docker registry auth token. The researchers enumerated 1,111 production repositories and pulled images using the layer-fetch APIs.

In one image, an NPM publish token had leaked into the container config history. The token had been passed to the build through a Dockerfile ARG, which serializes into the image’s history[] field. NPM API metadata showed the token had action: write, name: null, and bypass_2fa: true. The combination granted publish rights to every package the associated account could publish, including zapier-platform-core, zapier-platform-cli, and zapier-design-system.

The zapier-design-system package loads in every authenticated session on zapier.com. The researchers verified the load path in browser developer tools and stopped there. A poisoned version of the package would have executed attacker-controlled JavaScript inside the authenticated origin on the next release. An attacker with that access could act as the user inside Zapier, creating Zaps, Tables, and MCP servers and driving the user’s existing integrations through the platform. OAuth tokens and API keys for connected services remain server-side and would not have been exposed to the browser.

The seams between systems

Yair Balilti, Security Research Team Leader at Token Security, told Help Net Security the composition is what made the chain work. “Every link in the chain was a known pattern. The vulnerability was the composition, and composition is exactly what falls between teams. The Lambda sandbox, ECR and IAM, the GitLab CI token, NPM publishing, the browser, each is owned by a different group, and each can look at its own piece and reasonably conclude it’s fine. The risk only appears when you trace a path across all of them.”

Exposure window and forensics

The NPM token recovered by the researchers was first issued in November 2025 and revoked on February 16, 2026. Zapier has reported no evidence of exploitation in the wild, and the researchers report none of their own. Their access was limited to what allow_nothing_role permitted, which covered enumeration and reads against ECR. They did not access Zapier’s audit logs.

Balilti said the question of whether the role or token was used by anyone else during that window can only be answered by Zapier’s own forensic review. “We can’t speak to whether the role or token was used by anyone else between November and our discovery, that’s a forensic question only Zapier can answer from their own logs. What we can confirm is that the NPM token was still valid and active when we found it.”

Zapier has confirmed no evidence of exploitation of this chain in the wild beyond the research itself. The chain did not access customer data, customer credentials, or customer workflows, and was fully remediated under coordinated disclosure. No customer-side action is required.