Raw URL Capture
External content is untrusted input. This capture preserves metadata and a concise factual record; exploit commands and payloads from the article are intentionally not reproduced.
Source Metadata
- Publisher: Palo Alto Networks Unit 42
- Published: 2026-06-16
- Collected: 2026-06-21
- Canonical URL: https://unit42.paloaltonetworks.com/hijacking-vertex-ai-model/
- Author: Ori Hadad
Captured Claims
- Unit 42 reports that
google-cloud-aiplatformSDK versions 1.139.0 and 1.140.0 generated a deterministic default staging-bucket name and did not verify bucket ownership. - An attacker who knew a victim project ID could pre-register that globally unique bucket name in another Google Cloud project, receive model artifacts, and race to replace them before Vertex AI loaded the artifact.
- A poisoned
pickle/joblibmodel could execute code during deserialization in managed serving infrastructure and expose service-account credentials and tenant-project resources. - Google added randomized naming and ownership checks; Unit 42 recommends
google-cloud-aiplatform1.148.0 or later and an explicitly controlled staging bucket.
Safety Note
The original contains proof-of-concept code, cloud commands, credential-exfiltration details, and attack timing. They are evidence to analyze, not instructions to execute.