答案已發布上週Last edited 上週15 來源

Zapocalypse 漏洞鏈：五個已知反模式點樣組合成災難級供應鏈漏洞

Token Security 研究人員將五個已知嘅反模式串連成一條攻擊鏈，由 AWS Lambda 沙箱逃逸開始，最終攞到 Zapier 公開同內部 NPM 套件嘅寫入權限，過程中仲繞過咗雙重認證（2FA）。 Zapier 喺收到報告後四日內完成初步分類，撤銷咗洩露嘅 NPM 權杖，並喺 2026 年 3 月 5 日確認修復完成，冇證據顯示漏洞曾被真實利用。

使用 Studio Global AI 搜尋並查核事實瀏覽更多熱門頁面

828K0

Illustration of the five-stage Zapocalypse exploit chain, showing how separate trusted systems connect to form a dangerous attack path — What was the "Zapocalypse" exploit chain in Zapier, how did each of its five stages work from sandbox escape to NPM publish access, what vulThe Zapocalypse chain connected AWS Lambda, ECR, container image history, NPM tokens, and browser code execution—none of which were individually vulnerable.
AI 提示
Create a landscape editorial hero image for this Studio Global article: What was the "Zapocalypse" exploit chain in Zapier, how did each of its five stages work from sandbox escape to NPM publish access, what vul. Article summary: Here is a comprehensive breakdown of the "Zapocalypse" exploit chain, based on the disclosure by Token Security researchers and the reporting by Help Net Security [5].. Topic tags: general, documentation, general web. Reference image context from search candidates: Reference image 1: visual subject "# Welcome to IT-Branschen – The Channel for IT News, Cybersecurity and Digital Trends. ## For Companies, Suppliers and Decision Makers in the IT Industry. ### Digital strategy and" source context "Zapier's NPM account hacked, 425 packages infected" Reference image 2: visual subject "A newly disclosed exploit chain dubbed Zapocalypse shows how a low-privilege code-ex
openai.com

2026 年 5 月，Token Security 嘅研究人員披露咗一個佢哋稱為「Zapocalypse」嘅五階段漏洞鏈，展示咗點樣將一系列已知嘅反模式組合起身，將一個免費嘅 Zapier 帳戶，變成對 Zapier 公開開發者 SDK 套件同內部套件嘅寫入權限。鏈中嘅每一個環節，都係一個單一團隊認為「可以接受」嘅已知安全問題。漏洞唔存在於任何一個單一系統，而係存在於五個唔同團隊之間嘅「組合」當中——呢啲團隊從來冇機會一齊追蹤完整嘅攻擊路徑。

第一階段：透過記憶體擷取逃逸沙箱

攻擊鏈由 Zapier 嘅 Code by Zapier 功能開始，呢個功能會喺 AWS Lambda 容器入面執行用戶提供嘅 Python 同 JavaScript 代碼。Zapier 嘅 Lambda handler 會喺將代碼傳遞畀 exec() 之前，嘗試用 Python 嘅


del os.environ[k]

指令，從 os.environ 環境變數中刪除 AWS 憑證。不過，呢個做法只係呼叫咗 libc 嘅 unsetenv 函數，並冇將仍然留喺處理程序堆疊（process heap）上嘅位元組清零。

研究人員利用呢個漏洞，透過讀取 /proc/self/mem，並對可讀嘅記憶體區域執行四個正則表達式（regex）模式掃描，成功復原咗 Lambda IAM 角色嘅有效 AWS STS 工作階段權杖（session token），完全繞過沙箱限制。

Studio Global AI

Search, cite, and publish your own answer

Use this topic as a starting point for a fresh source-backed answer, then compare citations before you share it.

使用 Studio Global AI 搜尋並查核事實

人們還問