Zapier exploit chain shows how known anti-patterns compose into critical risk (opens in new tab)

A five-stage exploit chain disclosed by Token Security researchers turned a free Zapier account into write access on Zapier’s public developer SDK packages and on internal packages that load in every authenticated zapier.com session. Each link in the chain was a known anti-pattern. The composition across five systems was the finding. Zapier triaged the report within four days of submission on February 12, 2026, revoked the leaked NPM token, and tightened the underlying AWS role … More → The p...