boto3 (AWS SDK)

registryPyPI

package nameboto3

maintainerAmazon Web Services

boto3 is the official AWS SDK for Python, used to interact with S3, EC2, Lambda, DynamoDB, SQS, and virtually every other AWS service. It reads credentials from environment variables, `~/.aws/credentials`, or IAM instance metadata, and is present in nearly every Python application deployed on AWS.

api usage

Checking boto3 (AWS SDK)

boto3 1.34.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=boto3&version=1.34.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "boto3",
  "version": "1.34.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

AWS SDK packages load IAM credentials during initialization, often before any application code runs. A compromised version can exfiltrate these credentials, which may have broad cross-service permissions depending on the IAM policy attached to the role or key.

Attestd monitors boto3 using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

pypi_yank

Versions yanked on PyPI with a security-related yanked_reason annotation. Confidence 0.80.

Supply chain overview All PyPI packages Google Cloud Storage SDK Azure Core SDK Apache Airflow Response fields