Research
2025 Report: Destructive Malware in Open Source Packages
Destructive malware is rising across open source registries, using delays and kill switches to wipe code, break builds, and disrupt CI/CD.
By Kush Pandya - Dec 24, 2025
@dot/cdk
A set of tools and conventions for working with AWS CDK.
This package bstracts the class-based CDK library with a functional approach that removes a lot of heavy lifiting and repetitiveness. In addition to a clean interface, this package also automatically adds resources that are frequently used in tandem with other resources, such as SSM parameters for common SQS Queue properties like ARN and URL. Overall, this package attempts to abstract best practices with the AWS CDK that the user doesn't have to think about. Compared with the class-based inteface of AWS CDK, far less code is required to deploy resources, and resources can be understood clearly at a glance.
Requirements
This package requires an Active LTS Node version (v18+).
A Note on Documentation
Until recently this package was used internally and was not published on the registry. It's grown to a considerable size and it's intended that TypeScript type hinting and intellisense will be used for infomation on usage.
That said, documentation here will progressively improve over time.
Install
Using npm:
pnpm add @dot/cdk --save-dev
Usage
The example below demonstrates a few key features:
- creates an
Appapp - creates a
DotStackstack - creates a
RestApiand accompanyingNodeJsFunction - creates a Kinesis
DestinationStreamandStreamfor a Firehose - grants the handler necessary permissions to interact with the source
Stream
import { resolve } from 'path';
import { addApp, addApi, addFirehose, addStack, Duration, RemovalPolicy } from '@dot/cdk';
import { name } from './package.json'; // e.g. svc-batman
const app = addApp();
const scope = addStack({ app, name });
const verbs = ['GET', 'OPTIONS', 'POST'];
const DEPLOY_ENV = 'prod';
const sourcePath = resolve(__dirname, '../src');
const timeout = Duration.minutes(15);
const { handler } = addApi({
deployEnv: DEPLOY_ENV,
handler: {
entryFilePath: 'stream/lambda.ts',
environmentVariables: { DEPLOY_ENV },
scope,
sourcePath,
timeout
},
name: 'stream',
scope,
verbs
});
const { sourceStream } = addFirehose({
destinationBucket: {
autoDelete: false,
removalPolicy: RemovalPolicy.RETAIN
},
name: 'firehose',
scope,
source: { encryption: true }
});
sourceStream.grantWrite(handler);
Meta
FAQs
A set of tools and conventions for working with AWS CDK
The npm package @dot/cdk receives a total of 67 weekly downloads. As such, @dot/cdk popularity was classified as not popular.
We found that @dot/cdk demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 21 Aug 2025
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Engineering with AI Podcast: The Promise of AI-First Development
Socket CTO Ahmad Nassri shares practical AI coding techniques, tools, and team workflows, plus what still feels noisy and why shipping remains human-led.
By Sarah Gooding - Dec 24, 2025
Research
/Security News
Spearphishing Campaign Abuses npm Registry to Target U.S. and Allied Manufacturing and Healthcare Organizations
A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, targeting 25 organizations across manufacturing, industrial automation, plastics, and healthcare for credential theft.
By Nicholas Anderson, Kirill Boychenko - Dec 23, 2025