Zapier had a supply chain attack. They sent out some emails containing the compromised dependencies

At 5:50AM UTC on 11/24/2025, Zapier became aware that a subset of our NPM packages had unauthorized modifications made to them in an apparent supply chain compromise. The unauthorized core platform packages were unpublished by 10:30AM UTC. The rest were deprecated by 2:03PM UTC. List of Zapier NPM packages impacted and versions are below:

zapier-platform-cli 18.0.2

zapier-platform-cli 18.0.3

zapier-platform-cli 18.0.4

zapier-platform-core 18.0.2

zapier-platform-core 18.0.3

zapier-platform-core 18.0.4

zapier-platform-legacy-scripting-runner 4.0.2

zapier-platform-legacy-scripting-runner 4.0.3

zapier-platform-legacy-scripting-runner 4.0.4

zapier-platform-schema 18.0.2

zapier-platform-schema 18.0.3

zapier-platform-schema 18.0.4

@zapier/ai-actions 0.1.18

@zapier/ai-actions 0.1.19

@zapier/ai-actions 0.1.20

@zapier/ai-actions-react 0.1.12

@zapier/ai-actions-react 0.1.13

@zapier/ai-actions-react 0.1.14

@zapier/babel-preset-zapier 6.4.1

@zapier/babel-preset-zapier 6.4.2

@zapier/babel-preset-zapier 6.4.3

@zapier/browserslist-config-zapier 1.0.3

@zapier/browserslist-config-zapier 1.0.4

@zapier/browserslist-config-zapier 1.0.5

@zapier/eslint-plugin-zapier 11.0.3

@zapier/eslint-plugin-zapier 11.0.4

@zapier/eslint-plugin-zapier 11.0.5

@zapier/mcp-integration 3.0.1

@zapier/mcp-integration 3.0.2

@zapier/mcp-integration 3.0.3

@zapier/secret-scrubber 1.1.3

@zapier/secret-scrubber 1.1.4

@zapier/secret-scrubber 1.1.5

@zapier/spectral-api-ruleset 1.9.1

@zapier/spectral-api-ruleset 1.9.2

@zapier/spectral-api-ruleset 1.9.3

@zapier/stubtree 0.1.2

@zapier/stubtree 0.1.3

@zapier/stubtree 0.1.4

@zapier/zapier-sdk 0.15.5

@zapier/zapier-sdk 0.15.6

@zapier/zapier-sdk 0.15.7

redux-router-kit 1.2.2

redux-router-kit 1.2.3

redux-router-kit 1.2.4

zapier-async-storage 1.0.1

zapier-async-storage 1.0.2

zapier-async-storage 1.0.3

zapier-scripts 7.8.3

zapier-scripts 7.8.4