zapier-npm - isotope¹³

Incident Summary

Zapier NPM Account Compromise (Shai Hulud V2)

The Sha1-Hulud "Second Coming" npm worm compromised Zapier packages across the @zapier scope and unscoped zapier-platform packages. Affected releases used a preinstall hook to invoke Bun and run an obfuscated credential stealer that harvested GitHub, npm, cloud, and local environment secrets, exfiltrated them through public GitHub repositories, attempted npm self-propagation, and registered a self-hosted GitHub Actions runner for persistence. The incident affected core Zapier platform and SDK packages.

Date: 2025-11-23 to 2025-11-24
Category: Open Source
Target Surface: Package registry
Insertion Phase: distribution
Impact: Credential theft
Cause: Compromised Account/Credentials

What Was Affected

Package zapier-npm

LanguageJavaScript

ComponentLibrary

Artifact typesource archive

Domain typepackage host

Domain npmjs.com

Repository github.com/zapier/zapier-platform

Compromised Versions

Incident Context

Motive: Credential Theft
Attribution: Third Party
Transitive: No
User Impact: 0
Observed Duration: 1 days

External References

Source Data

Source record: oss/zapier-npm/meta.yaml