A newly disclosed exploit chain dubbed Zapocalypse shows how a low-privilege code-execution feature inside Zapier could have been chained into a supply-chain path with platform-wide account takeover impact.

Token Security said its researcher will present the Zapocalypse exploit chain targeting Zapier users at fwd:cloudsec North America on June 1, 2026.

Zapocalypse Attack Chain

According to the research, the attack started inside “Code by Zapier,” where Python code was executed in an AWS Lambda environment. From that foothold, the researchers said they could run operating system commands, inspect the runtime, and confirm that the function had previously handled AWS session credentials before those values were scrubbed from environment variables.

The key weakness was not a single zero-day bug, but the composition of several known patterns. First, the team used sandbox reconnaissance to verify that OS-level command execution was possible.

Next, they recovered orphaned STS credentials from process memory through /proc/self/mem, arguing that deleting environment variables removed references but did not wipe the underlying bytes from memory.

That opened the door to lateral movement using an IAM role named allow_nothing_role, which turned out to permit enough Elastic Container Registry access to enumerate repositories and pull container data.

From there, the researchers said they found a privileged NPM token exposed in container build metadata rather than the image filesystem. That token allegedly had package publishing rights and bypassed two-factor authentication, giving access to both public Zapier developer packages and private internal components.

The most important target was zapier-design-system, a private package loaded into authenticated Zapier sessions, which meant a malicious update could have delivered attacker-controlled JavaScript into the browser context of logged-in users.

That browser execution path is what elevated the finding from a container and secrets issue into a full platform account takeover scenario. In practical terms, an attacker would not have received raw OAuth tokens or third-party API credentials directly, because those remain server-side.

But they could have acted as the victim within Zapier’s authenticated interface, creating or modifying Zaps, Tables, MCP servers, and workflows that used the victim’s existing app connections.

The research also described a separate but narrower exposure involving a hardcoded Zapier Actions MCP key inside a LiteLLM-related container.

That token reportedly authenticated as a real user and enabled actions such as sending email through connected services, showing how secrets embedded in images can create immediate identity risk even without a broader platform compromise.

The most important lesson is architectural. The report argues that scrubbing secrets after code starts running is not a sufficient control if untrusted code executes in the same process that previously held credentials.

It also highlights a common CI/CD mistake: passing sensitive build secrets through ARG or ENV, where they can survive in image metadata long after teams believe the secret is gone.

Token Security said it reported the issue to Zapier on February 12, 2026, and that the company acknowledged the report within hours, revoked the exposed NPM token, tightened the ECR role by February 16, and confirmed full remediation on March 5, 2026.

The researchers said the report received the program’s maximum $3,000 bounty, and Zapier committed to reviewing that cap as part of the response process.

For defenders, Zapocalypse is a reminder that supply-chain reach often begins with ordinary misconfigurations. When runtime isolation, least privilege, secret handling, and package publishing controls fail together, a “sandbox” can become the first step toward a platform-wide compromise.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.