supply chain / google-cloud-storage-js

Google Cloud Storage (JS)

registrynpm

package name@google-cloud/storage

maintainerGoogle

The Google Cloud Storage Node.js client provides access to GCS buckets for server-side Node.js applications and Google Cloud Functions. It authenticates via Application Default Credentials, service account keys, or Workload Identity. It is used in Node.js data processing pipelines and file storage backends.

api usage

Checking Google Cloud Storage (JS)

@google-cloud/storage 7.12.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=%40google-cloud%2Fstorage&version=7.12.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "@google-cloud/storage",
  "version": "7.12.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

Cloud storage client packages resolve service account credentials at initialization. A backdoored version can extract the resolved credential before the first storage operation and forward it to an external endpoint.

Attestd monitors @google-cloud/storage using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

npm_deprecation

npm package versions with deprecation messages containing targeted attack language such as malicious, backdoor, or compromised. Confidence 0.80.

Supply chain overview All npm packages AWS SDK S3 (JS)Firebase JS SDK Azure Blob Storage (JS)Response fields