Zapier npm packages hit by Shai-Hulud

Zapier disclosed unauthorized modifications to a subset of its npm packages on November 24, 2025. The affected packages were developer tooling for Zapier platform integrations, not the Zapier product runtime, and Zapier said it had no indication of customer data loss.

The compromise lined up with the Sha1-Hulud "Second Coming" wave. Malicious npm releases installed a Bun-based payload that harvested secrets, wrote stolen data into attacker-created GitHub repositories, and tried to spread by abusing npm tokens and GitHub trusted-publishing paths.

Zapier unpublished the core platform packages by 10:30 UTC and deprecated the rest by 14:03 UTC. Its guidance was direct: do not install the affected versions, clean npm caches and local node_modules, reinstall current packages, and rotate secrets if compromised packages were used to publish integrations.

This record keeps Zapier as its own attack because the package scope is specific and officially enumerated. The broader worm remains modeled as the parent campaign.

Motive

Credential Theft

Attribution

Group

Cause

Compromised Account Credentials

Transitive

No

Actor

Third Party

• Unauthorized Access to Zapier NPM Packagesdocs.zapier.com
• Zapier's NPM Account Compromised in Supply Chain Attackcybersecuritynews.com
• Sha1-Hulud the Second Comingstepsecurity.io
• Sha1-Hulud the Second Coming Affected Package Liststepsecurity-public-media.s3.us-west-2.amazonaws.com