Bad.Build is a critical design flaw discovered by the Orca Research Pod in the Google Cloud Build service that enables attackers to escalate privileges and gain unauthorized access to code repositories and images in Artifact Registry.
The flaw presents a significant supply chain risk since it allows attackers to maliciously tamper with application images, which can then infect users and customers when they install the application. As we have seen with the SolarWinds and recent 3CX and MOVEit supply chain attacks, this can have far reaching consequences.
We would like to thank Google for working closely with Orca and for quickly addressing one of the discovered issues.
Full article with Recommendations: https://orca.security/resources/blog/bad-build-google-cloud-build-potential-supply-chain-attack-vulnerability/