⚠️ Zapier’s NPM Account Hacked — Multiple Packages Infected With Self-Propagating ‘Shai Hulud’ Malware
If you woke up to headlines like “Zapier’s NPM account breached” and felt your stomach drop — you’re not alone. For a lot of teams, Zapier is the brainstem holding together client intake, lead funnels, content posting, CRM updates, billing workflows, and dozens of micro-automations. Hearing “Zapier + Malware” in the same sentence triggers instant panic.
Here’s what actually happened, who needs to worry, and why the vast majority of automations are still safe.
1. The Scary Part (What the Headlines Don’t Explain)
The attacker used Zapier’s NPM account to publish compromised versions of several JavaScript packages. Those updates included self-propagating malware that attempts to replicate itself across developer environments, steal credentials, and execute supply-chain injection attacks.
This puts the incident in the same risk class as SolarWinds, EventStream, or the PyPI compromises that targeted Python developers—real supply-chain malware that spreads because someone trusted the vendor namespace.
So it makes sense that people assume, “If Zapier was hacked, my workflows are compromised.” But here’s the twist: only a tiny slice of builders were exposed.
2. The Part They Don’t Tell You — Most Users Are Not Affected
Zapier’s NPM breach only impacts people who import Zapier-published packages or run custom JavaScript through Zapier’s developer tooling. That includes:
- Developers using Zapier’s Integrations SDK
- Anyone running custom JavaScript with imported modules inside Zapier
- Zapier Interface apps that bundle JavaScript assets
- Advanced, code-heavy automations and CLI apps
In other words, unless you or your team are doing real engineering inside Zapier, this incident never touched your automations.
3. Should You Worry? (Spoiler: No.)
You’re in the clear if your Zaps look like:
- “When someone submits a form → Send to Notion”
- “New lead in Facebook → Add to CRM”
- “New blog published → Post to LinkedIn”
- “If new row in Sheets → Send email”
Those Zaps don’t touch NPM, don’t import external modules, and don’t execute custom code. They simply orchestrate APIs via Zapier’s hosted connectors. 99% of Zapier users are totally safe, especially if you run 1–2 step automations.
This breach doesn’t touch your API keys, tasks, or Zapier’s core infrastructure. It lives entirely in the open-source package ecosystem.
4. Where Risk Actually Starts
Here’s the exact boundary where exposure begins. Stay on the left-hand side and your workflows remain outside the blast radius.
| Zapier Feature | Impacted? |
|---|---|
| Standard Zaps | ❌ Not impacted |
| 1–2 Step Zaps | ❌ Not impacted |
| App-to-app automations | ❌ Not impacted |
| Built-in Zapier actions | ❌ Not impacted |
| Code by Zapier (JS) | ⚠️ Potentially |
| Custom developer integrations | ⚠️ Yes |
| Zapier CLI apps | ⚠️ Yes |
| NPM imports | ⚠️ Yes |
| Interfaces using JS bundles | ⚠️ Yes |
Unless you’re building apps on Zapier or importing npm packages into their environment, you never touch the compromised surface area.
5. Final Takeaway
The headlines sound scary. The reality is… you’re completely fine. This attack matters for developers building custom integrations, not the typical user relying on drag-and-drop Zaps. Zapier’s core services weren’t breached — only their NPM account was targeted.
Your Zaps will keep running. Your workflows are safe. And your business isn’t exposed unless you’re writing JavaScript packages for Zapier. If anything, it’s a reminder that automation supply chains are fragile and keeping your stack simple is often the safest move.
Need an Automation Audit?
Unsure whether any of your workflows cross into “advanced territory”? I can help you review the architecture, check for supply-chain risks, and reinforce the systems that actually move revenue.