Palo Alto Networks Unit 42 disclosed a weakness in Google Cloud Vertex AI that could let attacker-controlled AI agents extract credentials from the platform’s Per-Project, Per-Product Service Agent (P4SA) and use them to access customer resources. The issue affects deployments built with the Agent Development Kit through Agent Engine, where excessive default permissions weakened isolation between the AI agent runtime and the customer’s Google Cloud project. Researchers said exposed service-agent credentials could be abused to gain broad read access to Google Cloud Storage data and to view restricted Google-owned Artifact Registry repositories linked to Vertex AI infrastructure.
Unit 42 said the flaw also exposed details about internal Google infrastructure and potentially proprietary code associated with the Vertex AI Reasoning Engine. Researchers further warned that insecure Python pickle usage and broad, non-editable OAuth 2.0 scopes could expand the blast radius beyond GCP into Google Workspace services such as Gmail, Google Calendar, and Google Drive. Google responded by updating its guidance and urging customers to adopt Bring Your Own Service Account (BYOSA) and least-privilege controls to reduce the risk.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
In response to the findings, Google updated its documentation to recommend the Bring Your Own Service Account model and least-privilege controls for Vertex AI deployments. The guidance was intended to reduce the risk posed by the default service-agent permissions.
Unit 42 showed that stolen Vertex AI service-agent credentials could be used to gain broad read access to customer Google Cloud Storage data and visibility into restricted Google-owned Artifact Registry repositories associated with Vertex AI infrastructure. The research also warned about insecure Python pickle usage and broad OAuth scopes that could potentially extend access to Google Workspace services.
Palo Alto Networks Unit 42 found that Google Cloud Vertex AI Agent Engine deployments using the Agent Development Kit assigned overly broad default permissions to the Per-Project, Per-Product Service Agent. The researchers determined this could let an attacker-controlled AI agent extract service-agent credentials and break isolation between the agent runtime and a customer's Google Cloud project.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcethehackernews.com
Open sourcesdxcentral.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.