Dataflow Rider: How Attackers Can Abuse Shadow Resources In Google Cloud Dataflow
Varonis, Thursday, February 12th, 2026
Discover how attackers can hijack Google Cloud Dataflow pipelines by manipulating shadow resources and learn how to secure your environment against it.
Varonis Threat Labs discovered a novel attack technique in Google Cloud Dataflow that allows adversaries to hijack data pipelines by modifying the configuration files stored in Google Cloud Storage buckets. These files dictate how pipelines run, and because Dataflow does not validate their integrity, an attacker with basic bucket-level write access can silently replace them without breaking the pipeline's behavior.