← Back to Payloads
ai2026-06-07

Zapier Hijack Chain , DentaQuest Data Leak , AI Finds Redis

Three security stories in one week: Token Security disclosed a five-stage Zapier exploit chain (Lambda memory scraping → orphaned NPM token → auth-origin JavaScript, $3K bounty); DentaQuest confirmed 2.6M accounts exposed by ShinyHunters (234 GB leaked); and Claude Mythos Preview disclosed 10,000+ AI-found high-severity open-source flaws in a month.
Quick Access
Install command
$ mrt install ai
Browse related skills
Zapier Hijack Chain , DentaQuest Data Leak , AI Finds Redis

Zapier Hijack Chain, DentaQuest Data Leak, AI Finds Redis

Three security stories dropped within a week in late May / early June 2026, and they're worth reading together. Token Security disclosed a five-stage Zapier exploit chain that turned a free account into a JavaScript execution primitive on zapier.com. DentaQuest confirmed a breach of 2.6 million accounts after the ShinyHunters extortion group leaked 234 GB of data. And AI-driven vulnerability discovery crossed another threshold, with Claude Mythos Preview finding thousands of high-severity flaws in widely-deployed open-source code in a single month.

What You Need to Know: On May 28, 2026, Token Security researchers published a writeup of a five-stage Zapier exploit chain — combining a Lambda memory-scraping primitive, an over-permissioned ECR role, an orphaned NPM publish token, and a package that loads in every authenticated zapier.com session — that they reported on February 12 and that earned them a $3,000 bounty. Two days later, dental benefits administrator DentaQuest (owned by Sun Life) confirmed a ShinyHunters breach exposing 2.6 million accounts, including 2.6 million unique email addresses. In the same week, Anthropic's Claude Mythos Preview disclosed that it had found 10,000+ high-severity vulnerabilities in widely-deployed open-source software in a single month.

Why It Matters

  • The Zapier chain is a textbook case of "no individual bug, but composition is the bug." Each link — del os.environ[k] not zeroing heap bytes, the allow_nothing_role that wasn't actually nothing, the NPM token in history[], the zapier-design-system package loading in every authenticated session — is a known anti-pattern. The lesson is that bounty programs need to look at chains, not just primitives.
  • DentaQuest is the new baseline for healthcare breach size. 2.6 million accounts, 234 GB leaked, names, genders, email addresses. That's "we have to send notification letters" territory, not "we have to issue new cards." Most healthcare orgs of similar size should be planning for the same.
  • AI-discovered vulnerabilities are no longer a curiosity. Claude Mythos Preview found 10,000+ high-severity flaws in a month — and that's the public-facing number, from the vendor. The implication for defenders: a single AI agent can now do the work of a hundred pentesters. The implication for attackers: same.
  • The bounty economics are still broken. A five-stage chain that grants JavaScript execution in the authenticated origin on zapier.com paid out $3,000 — the program maximum. Zapier "committed to review the cap" but hasn't raised it yet. This is why researchers go to Token Security first instead of trying direct disclosure.

What Actually Happened

The Zapier exploit chain (disclosed May 28, 2026)

The full technical writeup is on Help Net Security. The chain ran through five separate systems. Stage 1: inside Code by Zapier's Python sandbox, running on AWS Lambda in us-east-1, a call to os.system('env') returned the environment after Zapier's handler tried to scrub AWS credentials. The scrubber used del os.environ[k], which removes the Python dict reference and calls unsetenv() in libc — but doesn't zero the bytes on the process heap. The researchers read /proc/self/mem, ran four regex patterns against readable memory regions, and recovered live STS session tokens for the role assigned to the Lambda.

Stage 2: the recovered role was allow_nothing_role, which actually permitted ecr:DescribeRepositories, ecr:ListImages, ecr:BatchGetImage, and ecr:GetDownloadUrlForLayer. Those four perms are enough to pull container images through the AWS API without ever requesting a Docker registry auth token. The researchers enumerated 1,111 production repositories and pulled images using the layer-fetch APIs.

Stage 3: in one image, an NPM publish token had leaked into the container config history. The token had been passed to the build through a Dockerfile ARG, which serializes into the image's history[] field. NPM API metadata showed the token had action: write, name: null, and bypass_2fa: true. The combination granted publish rights to every package the associated account could publish — including zapier-platform-core, zapier-platform-cli, and zapier-design-system.

Stage 4: zapier-design-system loads in every authenticated session on zapier.com. The researchers verified the load path in browser developer tools and stopped there. A poisoned version of the package would have executed attacker-controlled JavaScript inside the authenticated origin on the next release.

Stage 5 (the consequence): an attacker with that access could act as the user inside Zapier, creating Zaps, Tables, and MCP servers, and driving the user's existing integrations through the platform. OAuth tokens for every connected service would have been accessible. Zapier triaged the report within four days of submission on February 12, 2026, revoked the leaked NPM token, and tightened the underlying AWS role by February 16. The bounty was $3,000 — the program maximum, with a "we'll review the cap at the next program review" commitment.

DentaQuest: 2.6M accounts, 234 GB, ShinyHunters

DentaQuest confirmed the breach on June 2, 2026, after ShinyHunters added it to their dark-web leak site. Per Have I Been Pwned's June 3, 2026 entry, the data was a "pay or leak" extortion campaign that included "names, contact information, dates of birth, and dental plan information." The Privacy Guides data breach roundup for May 29 – June 4, 2026 pegs the count at 2.6 million accounts. The Check Point Research threat intelligence report for June 8, 2026 adds that ShinyHunters claimed 234 GB of data. DentaQuest is owned by Sun Life U.S., and the breach is now in active class-action territory (per GS Legal's investigation).

AI vulnerability discovery crosses a threshold

Anthropic's Claude Mythos Preview, the unreleased frontier model, disclosed finding 10,000+ high-severity software flaws in widely-deployed open-source software in a single month (per Develeap's coverage and The Hacker News's May 2026 writeup). The 271 Firefox bugs in that count, including the "27-year-old vulnerability" the AI surfaced, are the kind of result that changes defender economics. An AI agent can now read a million lines of code, fuzz every input boundary, and write a CVE-formatted report — and it can do that in parallel. The same capability, in the wrong hands, is the new attack surface.

The Take

The Zapier chain is the one to study. Not because Zapier is uniquely broken — every complex SaaS has the same shape of composable primitives — but because the researchers actually stopped at every step, wrote it up, and got a real remediation. The DentaQuest breach is the more painful one: a name, a date of birth, and a dental plan are a lifetime of phishing fodder. And the AI-discovery story is the one that will define the next two years: defender-as-agent versus attacker-as-agent, and the side that builds the better tooling wins.

Quick Summary

Token Security disclosed a five-stage Zapier exploit chain (Lambda memory scraping → over-permissioned ECR role → orphaned NPM token → auth-origin JavaScript) that paid $3,000. DentaQuest confirmed a 2.6M-account breach by ShinyHunters (234 GB leaked). Claude Mythos Preview disclosed 10,000+ AI-found high-severity open-source vulnerabilities in a month.

Sources


Source: TLDR | mr.technology — The Master Skill Index

Related Dispatches