Researchers at Token Security have shown how a chain of small misconfigurations in a low-code cloud service can add up to a near-total platform takeover. In an analysis published May 28, the firm described a five-step attack that nearly compromised the automation service Zapier — letting them reconnoiter the sandbox, find credentials, and move laterally into private repositories from which they could potentially have published malicious code.

The chain began where Zapier invites it: in a user-supplied code block. Code by Zapier lets customers (or an AI agent) run their own Python or JavaScript, and the researchers used that to query the sandbox, discovering it ran on AWS Lambda with an over-permissioned role confusingly named "allow_nothing_role" and credentials that were not securely deleted. Because Lambda does not proactively purge tokens until a container is recycled, they extracted secrets straight from memory.

With that role, the team could list and pull 1,111 files from Zapier's private repository, among them a file exposing an NPM publishing token valid for every package. They stopped short of the final two steps, but noted a post-install script could have run arbitrary code by riding a legitimate Zapier package and distributing it to every authenticated user's browser. Team lead Yair Balilti said an attacker could effectively act as any user inside Zapier — creating automations and abusing existing third-party connections that execute server-side.

The case underscores how disaggregated SaaS and the rush toward agentic AI are expanding cloud attack surface: researchers note that 56 percent of companies have no process to track SaaS-to-SaaS connections. It echoes last year's UNC6395 campaign, which stole data from Salesforce instances by abusing OAuth tokens tied to the Salesloft Drift integration.