We are sharing the root cause analysis for the incident on November 24th, 2025. We have also engaged an independent security vendor to conduct further investigation to confirm our findings below.
Overview: At 5:50AM UTC on 11/24/2025, Zapier detected unauthorized modifications to certain npm packages associated with our Developer Platform, resulting from a third-party supply chain compromise known as Shai-Hulud.
The affected packages were unpublished at 10:30AM UTC on 11/24/2025, and remaining platform packages were deprecated at 2:30PM UTC. Our developer community was informed of the impacted packages at 3:58PM UTC and provided instructions to mitigate impact in case the packages were in use. This incident did not affect Zapier’s products, infrastructure or customer accounts, other than one product released in Closed Beta that was down due to incident response mitigation efforts and certain Zaps that did not complete during such efforts (see below).
Root Cause: Zapier has a second order dependency on an open source library called asyncapi/specs. As per reports from Aikido Security, first infected packages were detected at 3:16AM UTC on 11/24/2024 from AsyncAPI. During routine processing to keep our dependencies up-to-date, the compromised library containing malicious code was downloaded, and pushed unauthorized updates to some of our developer platform npm libraries. We've discovered no evidence, and received no reports of compromise of any developer credentials or session tokens.
Controls: To seal the threat vector and prevent recurrence, we’ve taken the following steps:
Deprecated and then fully unpublished all compromised package versions.
Verified mandatory 2FA for users in the affected environment and confirmed the access did not come from a compromised account.
Paused all automatic dependency updates to stop upstream packages from being pulled pending further review.
Blocked pushes using impacted package versions to prevent recurrence.
Rebuilt all CI and build runners and cleared all runner caches, including S3 caches, to remove any contaminated artifacts.
Rotated all potentially exposed credentials and tokens, including runner variables and repository or project secrets.
Tightened CI and build pipeline protections with new detections and preventions for known malware indicators such as specific SHAs, processes, bun environment setup, and pre or post install scripts.
Strengthened endpoint protections on developer laptops with updated runtime rules tuned to this malware's behavior.
Expanded cloud runtime protections on security sensors to focus on this campaign.
Verified cloud controls, including IMDSv2, and monitoring showed no credential harvesting or lateral movement since the event.
Engaged an independent security vendor to perform additional investigation and confirm findings.
Impact:
Zapier Account Owners/Users - Zapier accounts and products were not impacted by this incident, and no action was needed by Zapier account owners/users. We've discovered no evidence, and received no reports of any customer data loss or exposure of data as a result of this incident. During our mitigation efforts, certain services supporting Zaps needed to be restarted, resulting in some Zaps temporarily not completing. Customers with Zaps pending completion were notified via email.
Developers using the Zapier Developer Platform - No integrations were packaged with malware infected Zapier packages, and our incident response team blocked pushes using infected versions as an additional mitigation step.
We provided guidance in our Developer Platform on how to check package versions, and what to do if a developer had downloaded those packages in the brief period they were available.
We've discovered no evidence, and received no reports of any impact to the Zapier Developer Community, given that we have no evidence that the infected packages were installed by the Developer Community in the 4 hours and 40 minute window that the packages were available.
As part of our incident response efforts, Zapier Functions (in Closed Beta) was down for 2 hours and 18 minutes on November 24th (4:14pm UTC to 6:32pm UTC). Impacted customers were notified via email and our status page.
Summary: Zapier accounts and customer data were not affected. No developer integrations were built with infected packages. We continue to monitor the situation and will confirm through an independent security vendor.
If you have any additional questions, please don’t hesitate to reach out to our Developer Support Team here: https://developer.zapier.com/contact. For more information about Zapier’s security and compliance, please refer to: https://zapier.com/security-compliance
