TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources VULNERABILITIES & THREATS СLOUD SECURITY CYBER RISK CYBERSECURITY OPERATIONS NEWS With Complex Cloud Integrations, Small Errors Lead to Major Compromises Researchers discover an exploit chain combining over-permissioned roles, secrets discovery, and non-human identities that could have compromised a popular automation service. Robert Lemos,Contributing Writer May 29, 2026 5 Min Read SOURCE: T.N. SURSOCK VIA SHUTTERSTOCK Low-code cloud services that allow users to create and run their own sandboxed code could be compromised by multistep exploit chains, leading to a complete platform takeover, if software-as-a-service (SaaS) providers haven't properly sandboxed their environments, managed the roles and permissions of non-human identities, and inadvertently exposed secrets in code artifacts. Such a compromise almost happened to low-code automation service Zapier. Using a handful of steps that exploited the company's platform, researchers with agentic-identity security firm Token Security discovered they could reconnoiter Zapier's sandboxed environment, discover credentials, and move laterally to pull the company's private repositories, and potentially could have published malicious code, researchers stated in an analysis published May 28. Token Security researchers could have pushed malicious code to Zapier's repositories and to any users authenticated to the system, says Yair Balilti, research team lead for Token Security. Related:Microsoft Issues Out-of-Band SharePoint Patch "If you have a user in Zapier, I can take your cookie, send it to an attacker website," he says. "I can use the same cookie and use all the tools that you are using in Zapier. For example, if you have some automation to send email to get to [another service], I can use the same primitive." The ability to jump between cloud components using credentials, development secrets, and non-human identities has become a major source of vulnerability in enterprise cloud usage. Between the disaggregation of software into various cloud services and the accelerating push for agentic AI swarms, SaaS infrastructure is growing more complex and harder to secure. Cybersecurity researchers have already noted that most companies — 56%, in fact — do not have a process in place to track SaaS-to-SaaS connections and integrations. Last year, the threat actor UNC6395, for example, stole data from company's Salesforce instances by abusing OAuth tokens associated with a third-party sales automation app, Salesloft Drift. "note — this isn't a security thing" Token Security's five-step attack chain used to nearly compromise the automation service started with ability to write code in a code block. Zapier and other automation service providers allow users to write their own code to accomplish custom tasks or allow an AI agent to write the code for them. Code by Zapier, for example, allows customer scripts and data manipulation code to be written in Python and JavaScript. "It is advertised as a place where users run their own logic," Token Security's Balilti stated in his online analysis. "So we ran our own logic." Related:Microsoft Exchange Zero-Day Under Attack, No Patch Available Using their own code, the researchers were able to query the sandbox OS to discover it was running on AWS Lambda, and while there were no obviously leaked credentials, the ability to read a task file showed an overly permissive role — incorrectly named "allow_nothing_role" — and the failure to securely delete credentials. In the file's comments, a developer wrote: # note - this isn't a security thing since we pass a allow\_nothing role - just avoids # responding to dozens of annoying false positive security reports As their second step, the researchers created a Python script to extract secrets from the memory, which was aided by the fact that AWS Lambda does not proactively delete the tokens and other secrets until the container is recycled. Using the role, the researchers discovered that they could list and request 1,111 files from Zapier's private repository during the third stage of their attack. Among those files, they found one that exposed an NPM token for publishing that could be used for every package. The Five Stages of Cloud Compromise include escaping the sandbox, finding credentials and over-permissioned roles, and then moving laterally. Source: Token Security While the researchers described their last two steps, they did not execute them. A post-install script would have allowed them to run arbitrary code by adding it to a legitimate Zapier package, and the fifth stage would allowed them to distribute the code to every authenticated Zapier user's browser. Related:Can Laws Stop Deepfakes? South Korea Aims to Find Out "An attacker would have been able to act as the user inside Zapier: create Zaps, create Tables, create MCP servers, modify existing automations, and use the user's existing connections to third-party services through Zapier's platform," Balilti wrote in the analysis. "Those connections execute server-side. The attacker can drive them by riding the user's session and asking Zapier to do things." Too Many Permissions, Too Little Security Token Security notified Zapier in February under responsible-disclosure guidelines, which fixed the issue in less than a week. Token Security later confirmed that the remediation works and intends to present the research June 1 at fwd:cloudsec North America. Companies need to pay more attention to their automation platforms and the data to which they have access, then focus on limiting roles as much as possible, Balilti says. "When you are using some automation platform, you are connected to all your integrations — like Salesforce, Gmail, and Google Drive — and maybe when you do that, [make sure you] do that with the least-privileged scope that you can," he says. "Then, if sometime your user is exposed, it will just be read-only or [limited to] specific resources." The permission problem is significant. In March, for example, Salesforce warned customers that their guest accounts tended to have lax permissions, allowing cybercriminals to conduct social-engineering attacks and steal data. More than likely, attackers are already pen-testing companies' SaaS deployments, says Balilti. "There are many automation workflow platforms in the world and most of them also have [a feature similar to] a code block," he says. "And maybe some attackers will try the same approach." About the Author Robert Lemos Contributing Writer Rob is an award-winning, veteran technology journalist of more than 30 years, reporting on global cybersecurity issues, the latest offensive and defensive technologies, malware incidents, cyber conflict, and AI's impact on software and cybersecurity. A former research engineer, Rob has written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. He has received five awards for journalism, including Best Deadline Journalism (Online) in 2003 for his coverage of the Blaster worm. Rob also analyzes data on various trends using Python and R for both his reporting and his clients. Recent reports include analyses of the shortage in cybersecurity workers, annual vulnerability trends, and annual threat reports. Rob holds degrees from Cornell University in Electrical Engineering and Computer Science (double major). Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar AI-Powered Credential Security: Intelligence Without Exposure More Webinars You May Also Like VULNERABILITIES & THREATS Cheap Hardware Module Bypasses AMD, Intel Memory Encryption by Rob Wright NOV 25, 2025 VULNERABILITIES & THREATS Patch Now: Microsoft Flags Zero-Day & Critical Zero-Click Bugs by Jai Vijayan, Contributing Writer NOV 11, 2025 VULNERABILITIES & THREATS Microsoft Issues Emergency Patch for Critical Windows Server Bug by Rob Wright OCT 24, 2025 VULNERABILITIES & THREATS 350M Cars, 1B Devices Exposed to 1-Click Bluetooth RCE by Nate Nelson, Contributing Writer JUL 11, 2025 Editor's Choice CYBERSECURITY OPERATIONS 20 Leaders Who Built the CISO Era: 2 Decades of Change byDark Reading Editorial Team MAY 12, 2026 41 MIN READ APPLICATION SECURITY It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight byJai Vijayan MAY 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Instructure Breach Exposes Schools' Vendor Dependence byAlexander Culafi MAY 6, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed TUESDAY, JUNE 23, 2026 1:00 PM EDT Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack THURS, JUNE 25, 2026, AT 1PM EST Defending in the Shadow Era: When the CVE Feed Goes Dark TUES, JUNE 16, 2026 AT 1PM EST Building SecOps That Make the Most of Every Dollar THURS, JULY 9, 2026 AT 1PM EST AI-Powered Credential Security: Intelligence Without Exposure WED, JUN