Cybertech Europe 2026-IT Industry Official Media Partner
Subscribe

Stay up to date with the most important news

By pressing the Subscribe button, you confirm that you have read and agree to our privacy policy and terms of use
Contact us

Zapier's NPM account hacked, over 400 packages infected with malware

Zapier's NPM account hacked - Zapier's NPM account hacked, over 400 packages infected with malware | IT-Branschen Zapier's NPM account hacked - Zapier's NPM account hacked, over 400 packages infected with malware | IT-Branschen
Zapier's NPM account hacked, over 400 packages infected with malware – Published by IT-Branschen

Zapier's NPM account hacked and 425 packages have been infected with Shai Hulud malware. The attack successfully compromised Zapier’s NPM account, leading to the injection of malicious code into a large number of npm packages used in both development and production environments worldwide. The attack affects critical infrastructure components, development tools, and CI CD environments, and is one of the most extensive supply chain threats observed in 2025.

The infected packages together generate approximately 132 million monthly downloads, making the spread global and potentially catastrophic for organizations that do not actively monitor their dependencies or use security checks during installation.

Several high-profile projects and organizations are among those affected, including AsyncAPI ENS Domains PostHog Postman and Zapier itself. The compromised libraries are used in everything from API documentation and analytics tools to authentication. SDK modules and integrated production environments, which makes the attack surface broad and very difficult to control.

  • Maciek Szczesniak featured on IT-Branschen Wire Channel Magic Chats podcast banner
    Maciek Szczesniak appears on IT-Branschen Wire Channel Magic Chats, discussing leadership, innovation, digital transformation, and business services.
    SPONSORED

  • VORTIQ-X AI Governance helps companies transform AI into controllable and verifiable business value.
    VORTIQ-X is an AI Governance platform that helps organizations govern, verify, and create measurable business value from AI. The platform focuses on transparency, compliance, AI governance, and the effective use of AI in mission-critical processes.
    ADVERTISEMENT

  • Cybertech Europe 2026 cybersecurity conference in Rome with the IT industry as Official Media Partner
    Cybertech Europe 2026 is one of Europe's leading cybersecurity conferences, bringing together cybersecurity leaders, government officials, technology innovators, startups, investors, and enterprise decision-makers in Rome. The IT industry serves as an Official Media Partner, providing event coverage, executive interviews, industry insights, and cybersecurity news for Nordic and European audiences.
    ADVERTISEMENT

  • The IT industry Nordic technology media platform covering cybersecurity, cloud, AI, digital transformation, channel, MSP and enterprise IT news
    The IT industry is a leading Nordic technology media platform covering cybersecurity news, artificial intelligence, cloud computing, enterprise IT, digital transformation, managed services, channel partners, software development, telecommunications, data centers, IT infrastructure, technology leadership, business innovation, and emerging technologies. Through executive interviews, industry analysis, event coverage, thought leadership, product launches, vendor updates, and market insights, the IT industry connects technology decision-makers, CIOs, CISOs, CTOs, IT managers, MSPs, resellers, distributors, technology vendors, startups, and enterprise organizations across Sweden, Norway, Denmark, Finland, and Europe. Coverage includes cybersecurity trends, AI adoption, cloud strategy, enterprise software, networking, digital infrastructure, sustainability, compliance, governance, risk management, automation, data analytics, and future technology developments.
    OWN CONTENT

Frequently used packages infected

The affected packages include core libraries such as @zapier mcp integration @posthog nextjs @asyncapi cli and @postman secret scanner wasm. These are often found in both production pipelines and development environments where they are automatically installed via dependency management, meaning many organizations may have been exposed without realizing it.

The incident clearly shows how serious it is when Zapier's NPM account is hacked and becomes part of a larger supply chain attack that can quickly spread through dependency chains and affect thousands of projects simultaneously.

Several of the packages have a critical or high risk level because they are loaded in environments with access to authentication keys, sensitive logs, or internal API call. This means that the malicious code's ability to steal and manipulate information is significantly greater than with traditional client attacks.

Worm propagation and advanced propagation technology

According to Aikido Security works Shai Hulud Malware as a self-propagating worm that uses a staging mechanism embedded in setup bun.js to spread to other dependencies.

When the package is installed, the worm writes an initial staging code to the bundleAssets function and then attempts to find or download the Bun runtime environment. If Bun is found or can be installed, the payload bun environment.js is executed, which is the primary malicious module.

The technique shows that the attackers have a deep understanding of npm installations and how modern build pipelines handle dependencies. The worm checks system paths, attempts to install Bun if it is missing, and manipulates environment variables to ensure execution on Windows Linux and macOS.

Theft of secrets and leaked credentials

Shai Hulud is not only an execution tool but also an advanced module for stealing sensitive data. It extracts API keys tokens and internal secrets from infected systems and automatically uploads them to GitHub repositories with random names and a recurring description Sha1 Hulud The Second Coming.

 26.3k repositories exposed

The analysis shows that approximately 26,300 repositories now contain leaked credentials, posing a huge risk of secondary attacks. Threat actors can use these keys to gain access to cloud infrastructure development environments internal systems and external services.

The attackers made several critical mistakes

Researchers have discovered that several infected packages contained only the staging script setup bun.js but lacked the primary worm payload bun environment.js, suggesting an incomplete deployment or misconfiguration during the attack.

The absence of the primary payload limits the direct impact of the attack, but the staging code is still dangerous because it establishes persistence and allows attackers to later deliver a working payload without having to compromise the packets again.

Why the attack is so dangerous for the development chain

Package NameOrganizationUse CaseRisk Level
@zapier/mcp-integrationZapierModel Context Protocol IntegrationCritical
@zapier/ai-actionsZapierAI Actions ModuleHigh
@zapier/zapier-sdkZapierZapier Platform SDKCritical
@posthog/nextjsPostHogNext.js Analytics PluginCritical
@posthog/cliPostHogCommand Line InterfaceHigh
@posthog/plugin-serverPostHogEvent Processing ServerCritical
@asyncapi/cliAsyncAPIAsyncAPI CLI ToolCritical
@asyncapi/generatorAsyncAPIAPI Documentation GeneratorHigh
@asyncapi/parserAsyncAPISchema ParserHigh
@postman/secret-scanner-wasmPostmanSecret Scanning (WASM)Critical
@postman/postman-mcp-cliPostmanModel Context Protocol CLICritical
@postman/pm-bin-linux-x64PostmanPostman Linux BinaryCritical
@ensdomains/ensjsENS DomainsENS JavaScript LibraryHigh
@ensdomains/ens-contractsENS DomainsSmart ContractsHigh
posthog-jsPostHogJavaScript AnalyticsCritical
posthog nodePostHogNode.js AnalyticsCritical
zapier-platform-cliZapierZapier CLI PlatformCritical
zapier-platform-coreZapierZapier Core LibraryCritical

The attack on Zapier packages illustrates how vulnerable the ecosystem is to dependency attacks. Many companies use thousands of npm packages in their CI CD pipelines, and few have full control over the entire dependency tree. When a package is compromised, the consequences can spread quickly through codebases and environments.

Organizations that lack version locking, automated scanning, or real-time monitoring are at extra risk because infected packages can be installed automatically with every build.

Recommendations for all development teams

To reduce the risk should companies immediately:

• Inventory which of the affected packages are in use
• Run through all CI CD pipelines to find unexpected installations
• Scan codebases and containers for traces of setup bun and bun environment
• Roll back all authentication keys and tokens
• Implement strict policies for dependency control and version locking
• Implement real-time monitoring of new GitHub repositories
• Using tools for software composition analysis

Looking ahead and conclusion

This attack highlights how quickly the development chain can become an attack vector and the importance of being proactive with security practices. Threat actors are now directly targeting development tools because it provides maximum access and minimal detection time.

Companies must strengthen their security models in terms of tools, pipeline monitoring and training. Without a robust strategy, organizations risk falling victim to similar attacks even when their own systems are secure.

Turbo Intent Block: zapier npm attack shai hulud malware npm supply chain attack javascript package attack development chain secure code management dependency attacks global npm spread critical libraries hack attack npm infected packages development environments api keys Semantic Boosters: npm security code integrity github credentials leak bun runtime malware javascript ecosystem supply chain monitoring devops security developer warning compromised packages npm scanning automated detection npm protection dependency management Rank Math SERP Expansion: zapier npm account overview shai hulud malware explanation npm chain attack guide developer protection package control dependency review npm security Article Specific Block: zapier npm account hacked shai hulud worm attack api lackage github repos npm malware setup bun bun environment asyncapi posthog postman ens domains javascript security risks cybersecurity warning developer npm threat

Stay up to date with the most important news

By pressing the Subscribe button, you confirm that you have read and agree to our privacy policy and terms of use
  • Cybertech Europe 2026 cybersecurity conference in Rome with the IT industry as Official Media Partner
    Cybertech Europe 2026 is one of Europe's leading cybersecurity conferences, bringing together cybersecurity leaders, government officials, technology innovators, startups, investors, and enterprise decision-makers in Rome. The IT industry serves as an Official Media Partner, providing event coverage, executive interviews, industry insights, and cybersecurity news for Nordic and European audiences.
    ADVERTISEMENT

  • Maciek Szczesniak featured on IT-Branschen Wire Channel Magic Chats podcast banner
    Maciek Szczesniak appears on IT-Branschen Wire Channel Magic Chats, discussing leadership, innovation, digital transformation, and business services.
    SPONSORED

  • The IT industry Nordic technology media platform covering cybersecurity, cloud, AI, digital transformation, channel, MSP and enterprise IT news
    The IT industry is a leading Nordic technology media platform covering cybersecurity news, artificial intelligence, cloud computing, enterprise IT, digital transformation, managed services, channel partners, software development, telecommunications, data centers, IT infrastructure, technology leadership, business innovation, and emerging technologies. Through executive interviews, industry analysis, event coverage, thought leadership, product launches, vendor updates, and market insights, the IT industry connects technology decision-makers, CIOs, CISOs, CTOs, IT managers, MSPs, resellers, distributors, technology vendors, startups, and enterprise organizations across Sweden, Norway, Denmark, Finland, and Europe. Coverage includes cybersecurity trends, AI adoption, cloud strategy, enterprise software, networking, digital infrastructure, sustainability, compliance, governance, risk management, automation, data analytics, and future technology developments.
    OWN CONTENT

  • VORTIQ-X AI Governance helps companies transform AI into controllable and verifiable business value.
    VORTIQ-X is an AI Governance platform that helps organizations govern, verify, and create measurable business value from AI. The platform focuses on transparency, compliance, AI governance, and the effective use of AI in mission-critical processes.
    ADVERTISEMENT