AWS SDK S3 (JS)
npm@aws-sdk/client-s3AWS SDK S3 Client for JavaScript is used in Node.js and serverless functions to read, write, and manage S3 objects. It is one of the most-used AWS SDK v3 packages in the JavaScript ecosystem, present in virtually every Node.js application that stores files on AWS. It resolves IAM credentials from environment variables, instance metadata, or the AWS credentials file.
Checking AWS SDK S3 (JS)
@aws-sdk/client-s3 3.629.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.
curl "https://api.attestd.io/v1/check?product=%40aws-sdk%2Fclient-s3&version=3.629.0" \
-H "Authorization: Bearer YOUR_API_KEY"{
"product": "@aws-sdk/client-s3",
"version": "3.629.0",
"supported": true,
"risk_state": "none",
"supply_chain": {
"compromised": false,
"sources": [],
"malware_type": null,
"description": null,
"advisory_url": null,
"compromised_at": null,
"removed_at": null
},
"last_updated": "2026-05-01T00:00:00Z"
}Why this package is monitored
AWS S3 SDK packages resolve IAM credentials before the first operation. A compromised version can exfiltrate these credentials, which may include `s3:GetObject` on buckets containing sensitive data, or `s3:PutObject` for data injection attacks.
Attestd monitors @aws-sdk/client-s3 using the following detection sources:
registryManually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.
osvOSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.
npm_deprecationnpm package versions with deprecation messages containing targeted attack language such as malicious, backdoor, or compromised. Confidence 0.80.