Project Hyphae
Search

Google Patches Critical Cloud Composer Vulnerability to Prevent Supply Chain Attacks

Share This Post

Google Cloud Platform (GCP) recently patched a critical security flaw in Cloud Composer that could have allowed attackers to execute remote code by exploiting a dependency confusion attack, a supply chain vulnerability. The issue, dubbed CloudImposer by Tenable Research, impacted multiple GCP services, including App Engine and Cloud Functions.

The Vulnerability:

Dependency confusion occurs when an attacker creates a malicious package with the same name as a legitimate internal package, leading systems to mistakenly download the malicious version from a public repository, such as PyPI. This flaw in GCP’s Cloud Composer was due to the use of the –extra-index-url argument in Python’s pip install command, which could prioritize public repositories over private ones, allowing attackers to introduce rogue packages.

Impact:

If exploited, this vulnerability could enable attackers to gain control of cloud environments, execute arbitrary code, exfiltrate credentials, and move laterally within a victim’s GCP infrastructure. The attack had the potential to impact large-scale cloud deployments across GCP users.

Google’s Mitigation:

Google responded quickly after receiving Tenable’s responsible disclosure in January 2024, fixing the vulnerability in May 2024 by:

  • Restricting package installations to private repositories.
  • Adding checksum validation to ensure package integrity.
  • Updating GCP documentation, recommending the use of the –index-url argument instead of –extra-index-url to reduce the risk of dependency confusion.
  • Advising customers to utilize the GCP Artifact Registry’s virtual repository to better manage package installations.

Final Recommendations:

While there’s no evidence that this flaw was exploited in the wild, GCP customers are encouraged to audit their environments for any risky configurations and follow the updated guidance from Google to mitigate potential supply chain threats.

Links:

https://thehackernews.com/2024/09/google-fixes-gcp-composer-flaw-that.html

https://www.darkreading.com/cloud-security/cloudimposer-flaw-google-cloud-affected-millions-servers

https://www.tenable.com/blog/cloudimposer-executing-code-on-millions-of-google-servers-with-a-single-malicious-package



Reach out to our incident response team for help

More To Explore

Information Security News – 4/14/2025

Oracle Confirms “Obsolete Servers” Hacked Article link: https://www.bleepingcomputer.com/news/security/oracle-says-obsolete-servers-hacked-denies-cloud-breach/    Phishing Kits Now Vet Victims in Real-Time Before Stealing Credentials Article link: https://www.bleepingcomputer.com/news/security/phishing-kits-now-vet-victims-in-real-time-before-stealing-credentials/    Neptune RAT

Marcus Cylar April 14, 2025

Information Security News – 4/7/2025

Criminal Group Claims Responsibility for Cyberattack on Minnesota Casino Article Link: https://cdcgaming.com/brief/cybersecurity-incident-at-minnesota-tribal-community-casino-prompts-shutdown/ As CISA Downsizes, Where Can Enterprises Get Support? Article Link: https://www.darkreading.com/cybersecurity-operations/roundtable-cisa-downsizes-where-can-enterprises-look-support Oracle Privately

Jo Moldenhauer April 7, 2025

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.