Cloud Shell is a pre-authenticated prize: stealing a developer's tokens
Cloud Shell carries the developer's own scopes and a persistent home directory. An attacker harvests its tokens, plants persistence, and acts as the developer.
Cloud Shell is a convenient pre-authenticated developer workstation in the browser, which makes it a prize. Its tokens carry the developer’s own scopes and its home directory persists across sessions.
How the attack works
An attacker who has gained access to a developer’s Cloud Shell session reads the gcloud Application Default Credentials and cached OAuth tokens, capturing the developer’s GCP access. They add a malicious line to .bashrc or .customize_environment so it re-runs on every new session, planting persistence in the persistent home. Acting as the developer, they enumerate projects and clone private repositories, pulling referenced secrets. Audit logs show the API activity under the developer’s identity. In ATT&CK terms this is T1552, Unsecured Credentials, paired with T1098, Account Manipulation.
Why it works
The stolen tokens are genuinely the developer’s, so activity looks legitimate, and the developer held broad standing scopes that make the credentials valuable. The persistent home gives the attacker somewhere durable to plant a re-run.
How to fix it
Closing the session does nothing: stolen ADC and OAuth tokens work off-session, and the planted .bashrc re-runs on the next connect. Revoke the developer’s active OAuth grants and credentials so the stolen tokens stop working, scrub the persistent home for planted startup persistence, and rotate any secrets the session could reach. For the root cause, reduce standing developer scopes toward least privilege and short-lived credentials, restrict and monitor Cloud Shell for sensitive access, and detect anomalous activity and startup-file tampering. Scope the abuse by correlating audit logs to the attacker window and reviewing git and Source Repositories logs for clones, separating attacker actions from the developer’s normal work. Treat cloned secrets as compromised.
Practice it
We built this as a GraphLattice Range scenario so developers can rehearse revoking stolen Cloud Shell tokens, scrubbing home-directory persistence, and rotating cloned secrets, instead of just closing a session the tokens already outlived.