supply chain / google-cloud-storage

Google Cloud Storage SDK

registryPyPI

package namegoogle-cloud-storage

maintainerGoogle

The Google Cloud Storage Python SDK provides access to GCS buckets for reading and writing objects, managing ACLs, and handling signed URLs. It authenticates via Application Default Credentials or a service account key file. It is used in ML pipelines for storing training data, model checkpoints, and pipeline artifacts.

api usage

Checking Google Cloud Storage SDK

google-cloud-storage 2.18.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=google-cloud-storage&version=2.18.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "google-cloud-storage",
  "version": "2.18.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

Cloud storage SDKs read service account credentials from environment variables or credential files on startup. A compromised package can forward these credentials before the first bucket operation, granting full read and write access to all GCS buckets accessible by the service account.

Attestd monitors google-cloud-storage using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

pypi_yank

Versions yanked on PyPI with a security-related yanked_reason annotation. Confidence 0.80.

Supply chain overview All PyPI packages boto3 (AWS SDK)Azure Core SDK Response fields