keep in mind you have to maintain/commit the initial blob and then later the malicious one (again and again, this is no pre-image attack - the initial blob has to have a well designed place with random jazz ready to be replaced)
You could just place a malicious one from the get go and no one would know (or they would know just as much -- blob do rely on virtually unconditional trust)
You could just place a malicious one from the get go and no one would know (or they would know just as much -- blob do rely on virtually unconditional trust)