How the Zapocalypse Exploit Chain Composed Five Known Anti-Patterns into a Catastrophic Supply Chain Vulnerability
Token Security researchers chained five known anti patterns to escalate a free Zapier account to write access on the company's public and internal NPM packages, starting from a Lambda sandbox escape and ending with th... Zapier triaged the report within four days, revoked the leaked token, and confirmed full remedia...
What was the "Zapocalypse" exploit chain in Zapier, how did each of its five stages work from sandbox escape to NPM publish access, what vulThe Zapocalypse chain connected AWS Lambda, ECR, container image history, NPM tokens, and browser code execution—none of which were individually vulnerable.
AI Prompt
Create a landscape editorial hero image for this Studio Global article: What was the "Zapocalypse" exploit chain in Zapier, how did each of its five stages work from sandbox escape to NPM publish access, what vul. Article summary: Here is a comprehensive breakdown of the "Zapocalypse" exploit chain, based on the disclosure by Token Security researchers and the reporting by Help Net Security [5].. Topic tags: general, documentation, general web. Reference image context from search candidates: Reference image 1: visual subject "# Welcome to IT-Branschen – The Channel for IT News, Cybersecurity and Digital Trends. ## For Companies, Suppliers and Decision Makers in the IT Industry. ### Digital strategy and" source context "Zapier's NPM account hacked, 425 packages infected" Reference image 2: visual subject "A newly disclosed exploit chain dubbed Zapocalypse shows how a low-privilege code-ex
openai.com
In May 2026, Token Security researchers disclosed a five-stage exploit chain they dubbed "Zapocalypse," which demonstrated how a series of known anti-patterns could be composed to turn a free Zapier account into write access on Zapier's public developer SDK packages and internal packages. Each individual link in the chain was a well-understood security issue that a single team could reasonably dismiss as acceptable. The vulnerability was not in any one system but in the composition across five different teams that never had to trace an attack path together .
Stage 1: Sandbox Escape via Memory Scavenging
The chain began inside Zapier's Code by Zapier feature, which executes user-supplied Python and JavaScript within AWS Lambda containers. Zapier's Lambda handler attempted to scrub AWS credentials from environment variables by deleting them from os.environ using Python's
del os.environ[k]
before passing the code to exec(). However, this approach only calls libc's unsetenv—it does not zero out the bytes that remain on the process heap .
Studio Global AI
Search, cite, and publish your own answer
Use this topic as a starting point for a fresh source-backed answer, then compare citations before you share it.
What is the short answer to "How the Zapocalypse Exploit Chain Composed Five Known Anti-Patterns into a Catastrophic Supply Chain Vulnerability"?
Token Security researchers chained five known anti patterns to escalate a free Zapier account to write access on the company's public and internal NPM packages, starting from a Lambda sandbox escape and ending with th...
What are the key points to validate first?
Token Security researchers chained five known anti patterns to escalate a free Zapier account to write access on the company's public and internal NPM packages, starting from a Lambda sandbox escape and ending with th... Zapier triaged the report within four days, revoked the leaked token, and confirmed full remediation by March 5, 2026, with no evidence of exploitation in the wild.
What should I do next in practice?
The core lesson is that no single team owned a vulnerability: the Lambda, IAM, CI, NPM, and browser teams each made individually reasonable decisions that became catastrophic when composed across system boundaries.
The researchers exploited this by reading /proc/self/mem and running four regex patterns against readable memory regions. They successfully recovered live AWS STS session tokens for the Lambda's IAM role, bypassing the sandbox entirely .
Stage 2: ECR Enumeration with Minimal Permissions
The recovered AWS role was named allow_nothing_role, but its name was misleading. The role granted four Elastic Container Registry (ECR) permissions: ecr:DescribeRepositories, ecr:ListImages, ecr:BatchGetImage, and ecr:GetDownloadUrlForLayer.
These four permissions proved sufficient to pull container images through the AWS API directly, without ever needing a Docker registry authentication token. Using these permissions, the researchers enumerated 1,111 production repositories and pulled container images using layer-fetch APIs .
Stage 3: NPM Token Recovery from Container Image History
Within one of the pulled container images, the researchers discovered an NPM publish token that had leaked into the container's configuration history. The token had been passed to the build process through a Dockerfile ARG instruction, which serializes permanently into the image's immutable history[] field. This meant the token was recoverable by anyone who could pull the image .
Stage 4: NPM Publish Access with Bypassed 2FA
The recovered NPM token contained three critical properties:
action: write
,
name: null
, and
bypass_2fa: true
. This combination granted publish rights to every package the associated NPM account could publish, including zapier-platform-core, zapier-platform-cli, and zapier-design-system.
The
bypass_2fa: true
setting meant that two-factor authentication was not required for any publish action, effectively granting unrestricted write access to the NPM registry for all associated packages .
Stage 5: Potential Supply Chain Foothold and Browser Code Execution
The most critical package in the chain was zapier-design-system, which loads in every authenticated session on zapier.com. The researchers verified this load path through browser developer tools and stopped at this point—they did not publish a malicious package .
Had an attacker published a poisoned version, it would have executed attacker-controlled JavaScript inside the authenticated zapier.com origin on the next release. From that position, an attacker could create Zaps, Tables, and MCP servers, and drive existing integrations through the platform on behalf of authenticated users. OAuth tokens and API keys for connected services remain server-side and would not have been directly exposed to the browser, but the operational impact would still have been severe .
Zapier's Response Timeline
Token Security submitted the report on February 12, 2026. Within four days, Zapier had triaged the report, revoked the leaked NPM token, and tightened the underlying AWS role. Remediation was confirmed as complete by March 5, 2026. Zapier reported no evidence of exploitation in the wild .
The researchers received the program's maximum bounty of $3,000, and Zapier committed to reviewing the bounty cap at its next program review .
It is worth noting that this research disclosure is separate from a real-world supply chain attack on Zapier's NPM account that occurred on November 24, 2025, when the Shai Hulud 2.0 worm compromised the account and infected 425 packages .
The Broader Lesson: Composed Vulnerabilities Fall Between Teams
Yair Balilti, Security Research Team Lead at Token Security, articulated the core finding:
"Every link in the chain was a known pattern. The vulnerability was the composition, and composition is exactly what falls between teams. The Lambda sandbox, ECR and IAM, the GitLab CI token, NPM publishing, the browser—each is owned by a different group, and each can look at its own piece and reasonably conclude it's fine. The risk only appears when you trace a path across all of them."
The takeaway is that no single team owned an individual vulnerability. The Lambda sandbox team saw no issue with memory scavenging because the token should have been out of scope anyway. The IAM team saw a role scoped to read-only ECR actions. The CI/build team passed the NPM token as a build ARG. The NPM team managed a token with write access. The browser team loaded a design-system package. Each decision was individually reasonable, but the chain across all five systems was catastrophic .
This demonstrates that identity and access reviews must trace attack paths across system boundaries rather than auditing each component's permissions in isolation. Organizations need cross-team security reviews that examine how seemingly harmless configurations compose into dangerous attack chains when systems interact .
socdefenders.aiZapier exploit chain shows how known anti-patterns ...
Comments
0 comments