Zapocalypse Attack Chain Leads to Full Zapier Account Takeover
A recently unveiled exploit chain, named “Zapocalypse,” reveals a critical vulnerability within Zapier that could have enabled platform-wide account takeovers. The attack leveraged a...
A recently unveiled exploit chain, named “Zapocalypse,” reveals a critical vulnerability within Zapier that could have enabled platform-wide account takeovers. The attack leveraged a low-privilege code-execution feature, demonstrating how it could be chained into a potent supply-chain path.
Token Security said its researcher will present the Zapocalypse exploit chain targeting Zapier users at fwd:cloudsec North America on June 1, 2026.
Zapocalypse Attack Chain
According to the research, the attack started inside “Code by Zapier,” where Python code was executed in an AWS Lambda environment. From that foothold, the researchers said they could run operating system commands, inspect the runtime, and confirm that the function had previously handled AWS session credentials before those values were scrubbed from environment variables.
The key weakness was not a single zero-day bug, but the composition of several known patterns. First, the team used sandbox reconnaissance to verify that OS-level command execution was possible.
| # | Stage | Primitive | Technical Detail |
|---|---|---|---|
| 1 | Sandbox Reconnaissance | os.system execution |
os.system works inside “Code by Zapier,” confirming OS-level command access within the Lambda environment |
| 2 | Credential Recovery | /proc/self/mem scraping |
STS tokens “orphaned” in the Lambda heap were recovered via /proc/self/mem regex scanning, bypassing del os.environ[k] cleanup |
| 3 | Lateral Movement | Misconfigured IAM role | A role literally named allow_nothing_role permitted ECR enumeration (DescribeRepositories, ListImages, BatchGetImage, GetDownloadUrlForLayer) and image pulls |
| 4 | Secret Hunting | Leaked NPM token in container metadata | A high-privilege NPM publish token with bypass_2fa: true was exposed in container build metadata (ARG/ENV history), not the filesystem |
| 5 | Supply-Chain Reach | NPM publish rights to frontend package | Publishing rights into zapier-design-system, a private package loaded on every authenticated zapier.com session, enabling platform-wide stored XSS and account takeover |
Next, they recovered orphaned STS credentials from process memory through /proc/self/mem, arguing that deleting environment variables removed references but did not wipe the underlying bytes from memory.
That opened the door to lateral movement using an IAM role named allow_nothing_role, which turned out to permit enough Elastic Container Registry access to enumerate repositories and pull container data.
From there, the researchers said they found a privileged NPM token exposed in container build metadata rather than the image filesystem. That token allegedly had package publishing rights and bypassed two-factor authentication, giving access to both public Zapier developer packages and private internal components.
The most important target was zapier-design-system, a private package loaded into authenticated Zapier sessions, which meant a malicious update could have delivered attacker-controlled JavaScript into the browser context of logged-in users.
That browser execution path is what elevated the finding from a container and secrets issue into a full platform account takeover scenario. In practical terms, an attacker would not have received raw OAuth tokens or third-party API credentials directly, because those remain server-side.
But they could have acted as the victim within Zapier’s authenticated interface, creating or modifying Zaps, Tables, MCP servers, and workflows that used the victim’s existing app connections.
The research also described a separate but narrower exposure involving a hardcoded Zapier Actions MCP key inside a LiteLLM-related container.
That token reportedly authenticated as a real user and enabled actions such as sending email through connected services, showing how secrets embedded in images can create immediate identity risk even without a broader platform compromise.
The most important lesson is architectural. The report argues that scrubbing secrets after code starts running is not a sufficient control if untrusted code executes in the same process that previously held credentials.
It also highlights a common CI/CD mistake: passing sensitive build secrets through ARG or ENV, where they can survive in image metadata long after teams believe the secret is gone.
Token Security said it reported the issue to Zapier on February 12, 2026, and that the company acknowledged the report within hours, revoked the exposed NPM token, tightened the ECR role by February 16, and confirmed full remediation on March 5, 2026.
The researchers said the report received the program’s maximum $3,000 bounty, and Zapier committed to reviewing that cap as part of the response process.
For defenders, Zapocalypse is a reminder that supply-chain reach often begins with ordinary misconfigurations. When runtime isolation, least privilege, secret handling, and package publishing controls fail together, a “sandbox” can become the first step toward a platform-wide compromise.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.