The code is not outright malware, but it contains powerful and risky behavior: it installs npm packages at runtime, requires them from /tmp (executing third-party code), and allows event-controlled arbitrary AWS SDK API calls, including assuming roles. If an attacker can control the custom resource event or values like package names, service/action, parameters, or assumedRoleArn, they can execute arbitrary code, escalate privileges, perform data exfiltration, or modify infrastructure. Treat this component as high-risk from a supply-chain and privilege-abuse perspective and restrict who/what can provide events to it. Validate and sanitize event inputs, avoid dynamic package installs, and limit role assumptions to minimize risk.
Live on npm for 1 hour and 24 minutes before removal. Socket users were protected even while the package was live.