Zapier exploit chain shows how known anti-patterns compose into critical risk

Researchers disclosed a five-stage exploit chain at Zapier where memory leakage from Code by Zapier Lambda runtimes allowed recovery of STS tokens, enumeration and download of 1,111 ECR images, and extraction of an NPM publish token embedded in a container image history; the token granted write/publish rights including to a package loaded in every authenticated zapier.com session. Zapier revoked the token, tightened the AWS role, confirmed remediation, and reported no evidence of exploitation in the wild.