A multi-stage exploit chain in Zapier leveraged five known security anti-patterns across different systems to escalate from a free account to gaining write access to public and internal NPM packages, including those loaded in authenticated sessions. The attack vector involved the composition of these individual weaknesses, culminating in the compromise of an NPM token and overly permissive AWS roles. Zapier addressed the report within days by revoking the leaked token and tightening the underlying AWS permissions; no specific CVSS score, affected software versions, or patch details were provided in the source article.
A five-stage exploit chain disclosed by Token Security researchers turned a free Zapier account into write access on Zapier’s public developer SDK packages and on internal packages that load in every authenticated zapier.com session. Each link in the chain was a known anti-pattern. The composition across five systems was the finding. Zapier triaged the report within four days of submission on February 12, 2026, revoked the leaked NPM token, and tightened the underlying AWS role … More → The post Zapier exploit chain shows how known anti-patterns compose into critical risk appeared first on Help Net Security .