Skip to main content
Note: No action is needed from Zapier users, only from Zapier developers using one of the npm package versions listed below. All Zapier products are operating as expected and there is no indication of data loss or leak.

Timeline

  • At 5:50AM UTC on 11/24/2025, Zapier became aware that a subset of our npm packages had unauthorized modifications made to them in an apparent supply chain compromise.
  • The unauthorized core platform packages were unpublished by 10:30AM UTC.
  • The rest were deprecated by 2:03PM UTC.
Please see this link for the most up-to-date information. The list of Zapier npm packages impacted and versions is below along with instructions on how to mitigate impact if you are a Zapier developer. For Zapier developers, the npm packages listed below were compromised and should not be downloaded or used. They have been unpublished and deprecated from npm and are no longer available. You can find updates here on the Zapier Status Page. The compromised packages below are used for developing Zapier platform integrations and other Zapier connectors. Please do not install and do not push integration changes using these versions.

Platform UI developers

If your integration is built on the Platform UI rather than the CLI, check the Versions page of your integration. The Platform Version column will show which package version your integration uses - as long as this is not one of versions 18.0.2, 18.0.3, or 18.0.4, your integration is not affected.
This is a quick and easy way to confirm you are not affected. Please also note that we have not seen any integrations using the affected versions despite continued monitoring, and the affected npm package versions have been deprecated and unpublished so that they cannot be used.

Platform CLI developers

Recommendation for developers

  • What to do if you have downloaded any impacted packages?
    • Re-install the latest version of the package with npm i <package-name>@latest (the latest version not impacted will be grabbed).
      • For instance, npm i zapier-platform-core@latest
    • Include “-g” for global installation
      • For instance, npm i -g zapier-platform-cli@latest
  • How to get the latest “good” package?
    • Run npm i <package-name>@latest
      • For instance, npm i zapier-platform-core@latest
  • Make sure no impacted versions are cached:
    • Run npm cache clean --force
    • Remove any local node_modules files
      • Run rm -rf node_modules
    • Remove package-lock.json to ensure fresh package version resolution
      • Run rm -f package-lock.json

Recommendation for partners who maintain integrations

For integration developers, do not push new versions with these packages installed in the timeframe above [5:50AM UTC to 2:03PM UTC]. If you already pushed a new version with these packages installed, please rotate secrets and private keys with updated values using zapier env or through developer.zapier.com.

Additional questions

If you have any additional questions, you can reach out to Developer Support here: https://developer.zapier.com/contact.

List of affected packages