Zapier

Zapier Security Incident - NPM Packages and Zapier Developers
Resolved

Communications and guidance have been sent to Zapier Developers with the following guidance:

Recommendation for developers: 

  • What to do if you have downloaded any impacted packages?

    • Re-install the latest version of the package with “npm i <package-name>@latest” (the latest version not impacted will be grabbed).

      • For instance, npm i zapier-platform-core@latest

    • Include “-g” for global installation

      • For instance, npm i -g zapier-platform-cli@latest

  • How to get the latest “good” package?

    • Run “npm i <package-name>@latest”

      • For instance, npm i zapier-platform-core@latest

  • Make sure no impacted versions are cached:

    • Run “npm cache clean --force”

    • Remove any local node_modules files

      • Run “rm -rf node_modules”

    • Remove package-lock.json to ensure fresh package version resolution

      • Run “rm -f package-lock.json”


Recommendation for partners who maintain integrations:

  • For integration developers make sure that you have not pushed new versions with these packages installed in the timeframe above [5:50AM UTC to 2:03PM UTC]. 

If you pushed a new version with these packages installed, please rotate secrets and private keys with updated values using zapier env or through developer.zapier.com.

If you have any additional questions, please reach out to Developer Support here: https://developer.zapier.com/contact.

Mon, Nov 24, 2025, 07:20 PM
(1 hour ago)
·
Affected components

No components marked as affected

Updates

Resolved

Communications and guidance have been sent to Zapier Developers with the following guidance:

Recommendation for developers: 

  • What to do if you have downloaded any impacted packages?

    • Re-install the latest version of the package with “npm i <package-name>@latest” (the latest version not impacted will be grabbed).

      • For instance, npm i zapier-platform-core@latest

    • Include “-g” for global installation

      • For instance, npm i -g zapier-platform-cli@latest

  • How to get the latest “good” package?

    • Run “npm i <package-name>@latest”

      • For instance, npm i zapier-platform-core@latest

  • Make sure no impacted versions are cached:

    • Run “npm cache clean --force”

    • Remove any local node_modules files

      • Run “rm -rf node_modules”

    • Remove package-lock.json to ensure fresh package version resolution

      • Run “rm -f package-lock.json”


Recommendation for partners who maintain integrations:

  • For integration developers make sure that you have not pushed new versions with these packages installed in the timeframe above [5:50AM UTC to 2:03PM UTC]. 

If you pushed a new version with these packages installed, please rotate secrets and private keys with updated values using zapier env or through developer.zapier.com.

If you have any additional questions, please reach out to Developer Support here: https://developer.zapier.com/contact.

Mon, Nov 24, 2025, 07:20 PM

Monitoring

Our Engineering and Security team are continuing to monitor this situation.

Zapier Functions is currently offline out of an abundance of caution. For updates about Functions specifically, you can follow along here: https://status.zapier.com/incidents/01KAVFSJ0GVZJ24WW3GJ9BK7G7.

Below is a list of affected packages and versions:

Mon, Nov 24, 2025, 06:02 PM(1 hour earlier)

Investigating

At around 5:50 AM UTC on November 24, 2025, Zapier became aware that a subset of our NPM packages were involved in a supply chain compromise that injected malicious code in their packages.

Affected versions have been deprecated, and developers can use the latest versions to ensure they're unaffected.

At this time, all Zapier products are operating as expected and are not known to be affected.

Our team is currently investigating.

Mon, Nov 24, 2025, 03:58 PM(2 hours earlier)
Powered by
Privacy policy

·

Terms of service