Research
2025 Report: Destructive Malware in Open Source Packages
Destructive malware is rising across open source registries, using delays and kill switches to wipe code, break builds, and disrupt CI/CD.
By Kush Pandya - Dec 24, 2025
@aws-sdk/core
Advanced tools
@aws-sdk/core
This package provides common or core functionality to the AWS SDK for JavaScript (v3).
You do not need to explicitly install this package, since it will be transitively installed by AWS SDK clients.
@aws-sdk/core submodules
Core submodules are organized for distribution via the package.json exports field.
exports is supported by default by the latest Node.js, webpack, and esbuild. For react-native, it can be
enabled via instructions found at reactnative.dev/blog.
Think of @aws-sdk/core as a mono-package within the monorepo.
It preserves the benefits of modularization, for example to optimize Node.js initialization speed,
while making it easier to have a consistent version of core dependencies, reducing package sprawl when
installing an SDK client.
Guide for submodules
- Each
index.tsfile corresponding to the pattern./src/submodules/<MODULE_NAME>/index.tswill be published as a separatedist-cjsbundled submodule index using theInliner.jsbuild script. - create a folder as
./src/submodules/<SUBMODULE>including anindex.tsfile and aREADME.mdfile.- The linter will throw an error on missing submodule metadata in
package.jsonand the varioustsconfig.jsonfiles, but it will automatically fix them if possible.
- The linter will throw an error on missing submodule metadata in
- a submodule is equivalent to a standalone
@aws-sdk/<pkg>package in that importing it in Node.js will resolve a separate bundle. - submodules may not relatively import files from other submodules. Instead, directly use the
@scope/pkg/submodulename as the import.- The linter will check for this and throw an error.
- To the extent possible, correctly declaring submodule metadata is validated by the linter in
@aws-sdk/core. The linter runs duringyarn buildand also asyarn lint.
When should I create an @aws-sdk/core/submodule vs. @aws-sdk/new-package?
Keep in mind that the core package is installed by all AWS SDK clients.
If the component functionality is upstream of multiple clients, it is a good candidate for a core submodule. For example, XML serialization.
If the component's functionality is downstream of a client, for example S3 pre-signing, it should be a standalone package with potentially a peer or runtime dependency on an AWS SDK client.
FAQs
Core functions & classes shared by multiple AWS SDK clients.
The npm package @aws-sdk/core receives a total of 15,922,552 weekly downloads. As such, @aws-sdk/core popularity was classified as popular.
We found that @aws-sdk/core demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Package last updated on 30 May 2025
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Engineering with AI Podcast: The Promise of AI-First Development
Socket CTO Ahmad Nassri shares practical AI coding techniques, tools, and team workflows, plus what still feels noisy and why shipping remains human-led.
By Sarah Gooding - Dec 24, 2025
Research
/Security News
Spearphishing Campaign Abuses npm Registry to Target U.S. and Allied Manufacturing and Healthcare Organizations
A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, targeting 25 organizations across manufacturing, industrial automation, plastics, and healthcare for credential theft.
By Nicholas Anderson, Kirill Boychenko - Dec 23, 2025