At 5:50AM UTC on 11/24/2025, Zapier became aware that a subset of our NPM packages had unauthorized modifications made to them in an apparent supply chain compromise. The unauthorized core platform packages were unpublished by 10:30AM UTC. The rest were deprecated by 2:03PM UTC. List of Zapier NPM packages impacted and versions are below:
zapier-platform-cli 18.0.2
zapier-platform-cli 18.0.3
zapier-platform-cli 18.0.4
zapier-platform-core 18.0.2
zapier-platform-core 18.0.3
zapier-platform-core 18.0.4
zapier-platform-legacy-scripting-runner 4.0.2
zapier-platform-legacy-scripting-runner 4.0.3
zapier-platform-legacy-scripting-runner 4.0.4
zapier-platform-schema 18.0.2
zapier-platform-schema 18.0.3
zapier-platform-schema 18.0.4
@zapier/ai-actions 0.1.18
@zapier/ai-actions 0.1.19
@zapier/ai-actions 0.1.20
@zapier/ai-actions-react 0.1.12
@zapier/ai-actions-react 0.1.13
@zapier/ai-actions-react 0.1.14
@zapier/babel-preset-zapier 6.4.1
@zapier/babel-preset-zapier 6.4.2
@zapier/babel-preset-zapier 6.4.3
@zapier/browserslist-config-zapier 1.0.3
@zapier/browserslist-config-zapier 1.0.4
@zapier/browserslist-config-zapier 1.0.5
@zapier/eslint-plugin-zapier 11.0.3
@zapier/eslint-plugin-zapier 11.0.4
@zapier/eslint-plugin-zapier 11.0.5
@zapier/mcp-integration 3.0.1
@zapier/mcp-integration 3.0.2
@zapier/mcp-integration 3.0.3
@zapier/secret-scrubber 1.1.3
@zapier/secret-scrubber 1.1.4
@zapier/secret-scrubber 1.1.5
@zapier/spectral-api-ruleset 1.9.1
@zapier/spectral-api-ruleset 1.9.2
@zapier/spectral-api-ruleset 1.9.3
@zapier/stubtree 0.1.2
@zapier/stubtree 0.1.3
@zapier/stubtree 0.1.4
@zapier/zapier-sdk 0.15.5
@zapier/zapier-sdk 0.15.6
@zapier/zapier-sdk 0.15.7
redux-router-kit 1.2.2
redux-router-kit 1.2.3
redux-router-kit 1.2.4
zapier-async-storage 1.0.1
zapier-async-storage 1.0.2
zapier-async-storage 1.0.3
zapier-scripts 7.8.3
zapier-scripts 7.8.4