Google Vertex AI Flaw Let Attackers Hijack ML Model Uploads, Exposing a New Supply-Chain Weakness in AI
Researchers found a flaw in Google’s Vertex AI SDK that allowed attackers to pre‑create predictable cloud storage buckets, intercept machine learning model uploads, and swap in malicious models within seconds. The bug turns the AI supply chain itself into an attack surface, raising red flags for governments, defense contractors and enterprises that rely on cloud‑hosted models. Readers will learn how the attack worked, who is at risk, and why securing AI pipelines is becoming a national security issue.
A security flaw in Google’s Vertex AI software development kit has exposed a new kind of supply‑chain risk in artificial intelligence: the ability for attackers to silently hijack machine learning model uploads in the cloud and replace them with their own malicious versions. Researchers who analyzed the platform found they could pre‑create a predictable storage bucket, intercept an organization’s model upload and swap in a poisoned model in under two seconds, all without breaching the victim’s network perimeter.
The vulnerability, disclosed by independent security researchers and detailed in a technical write‑up, stemmed from how the Vertex AI SDK handled temporary storage locations during model deployment. In the observed configuration, the SDK generated cloud storage bucket names in a predictable way. An attacker who understood the naming scheme could create the bucket in advance within their own project, wait for a target organization to push a model, and then capture and replace the contents before the legitimate owner ever interacted with it in production. From the victim’s perspective, the deployment would appear normal — but the model now running in their environment would be under the attacker’s control.
For mainstream users, that might sound like a niche cloud misconfiguration. For national security agencies, defense contractors and critical infrastructure operators that are rapidly adopting AI models for decision‑support, anomaly detection and operational control, it is anything but. A hijacked model upload is a way to smuggle malicious logic directly into sensitive workflows without tripping traditional perimeter defenses. The consequences range from subtle data exfiltration — where an attacker trains the model to leak pieces of sensitive input — to outright sabotage, such as models that misclassify threats or fail open under specific conditions.
The human and operational stakes become clearer when you consider where AI models are already being deployed. Financial institutions use them to flag suspicious transactions; power grid operators test them for predictive maintenance; militaries and intelligence services experiment with them for image analysis, signal triage and targeting support. If an attacker can quietly replace the model at the moment of upload, they effectively sit in the control room without having to break down the front door.
Strategically, the Vertex AI flaw is part of a broader shift in how cyber actors think about leverage in the age of AI. Rather than attacking the infrastructure around models, they are increasingly aiming at the models themselves — their training data, their deployment pipelines and the interfaces through which they are updated. This turns AI platforms into a new kind of supply chain, where upstream compromises can cascade into dozens or hundreds of downstream systems that trust the integrity of centrally hosted models.
For companies and government agencies, the lesson is that securing AI is not just about red‑teaming outputs or filtering prompts; it is about hardening the mundane plumbing of cloud storage, SDKs and CI/CD pipelines that deliver models into production. Even a large provider with sophisticated internal security, like Google, can ship an SDK that encodes predictable behaviors attackers can abuse. When those SDKs underlie systems used in defense, law enforcement or critical infrastructure, a seemingly technical bug becomes a strategic vulnerability.
The incident also strengthens arguments inside governments that AI platform security deserves the same regulatory and oversight attention as other critical digital infrastructure. Just as software bill of materials (SBOM) initiatives aim to make traditional supply chains more transparent, there is growing interest in mechanisms to attest to model provenance and deployment integrity — effectively, cryptographic proof that the model running in a sensitive environment is the one the organization intended to use.
Going forward, the signs to watch include whether Google and other major cloud providers roll out stricter default protections and auditing for AI model uploads, whether regulators begin to fold AI pipeline security into critical infrastructure standards, and whether attackers are observed exploiting similar patterns in other platforms. As states and corporations rush to embed AI deeper into their operations, the question is shifting from whether adversaries will target these pipelines to how much damage they can do before defenses catch up.
Sources
- OSINT