Query was small, just a few dozen lines of Python, but he had a very specific job. He lived on a Virtual Machine—a cozy little slice of a server—and his sole purpose in life was to talk to the "Oracle" of the machine: the Metadata Server

– For high-security workloads that don’t need Google APIs, you can disable the metadata server via VM settings (though most Google services require it).

Seven thousand miles away, in a dim apartment lit only by the glow of a terminal, an attacker named "Zero" was scanning the company's public-facing infrastructure.

Metadata-Flavor: Google

curl -H "Metadata-Flavor: Google" \ "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/email"

The keyword fragment fetch-url-http-3A-2F-2F... suggests a JavaScript fetch() call or a similar HTTP client incorrectly encoding the URL. In Node.js, Python, or browser environments (though metadata server is accessible from browsers), encoding can break the request.

In GCP, a service account is a special type of account that allows your application to interact with GCP resources without needing to authenticate with a user account. Service accounts are used to authorize access to resources, such as Cloud Storage buckets, Cloud Datastore, or Cloud Pub/Sub topics.