Nsasoft US LLC has released NSAuditor AI Enterprise Edition 0.15.4, a patch cycle that closes the two residuals carried as deferred in the EE 0.15.3 spec: public ACLs on non-current S3 object versions, and public WRITE-vs-READ class differentiation. Plugin count is UNCHANGED at 28, all six framework coverage matrices are UNCHANGED, and zero framework JSON files were edited.

The silent-overwrite ?versionId= attack, closed

EE 0.15.3 closed the fourth and final S3 public-exposure vector at the current-object level. But in a versioned bucket, an attacker can PUT a public-read object, wait for the owner to “fix” it with a private overwrite, and still win — the old version persists with its public ACL, downloadable at ?versionId=<old>. The new current version is clean; the scanner passes; the public payload keeps serving.

Plugin 1020 NEW step 2c-v samples non-current object versions. When GetBucketVersioning Status is Enabled or Suspended (Suspended buckets retain old versions — the exact silent-overwrite case), the plugin runs ListObjectVersions, filters to non-current (IsLatest !== true), skips DeleteMarkers, and inspects each with GetObjectAcl carrying both Key and VersionId. A public AllUsers or AuthenticatedUsers grant emits CRITICAL via the existing "publicly accessible" anchor across SOC 2 C1.1, HIPAA §164.312(a)(2)(iv), ISO/IEC 27001:2022 A.5.23 / A.8.3 / A.8.12, and CIS Controls v8 3.3. No framework JSON gains a new mapping. PAB IgnorePublicAcls neutralizes to LOW. Skipped entirely on BucketOwnerEnforced buckets.

WRITE-vs-READ class differentiation

A public WRITE / WRITE_ACP / FULL_CONTROL grant means anyone can overwrite object contents — defacement, supply-chain, or malware-staging — and is materially worse than a READ-only public grant. A new module-scoped extractPublicWriteGroups helper now appends a distinct enrichment line plus a state counter on the already-CRITICAL finding at all three ACL sites. No severity change, no new routable anchor — matrix UNCHANGED.

Same-session review fold + evidence-gap discipline

An independent false-negative review caught a Class-F gap that was folded the same session: a role lacking s3:GetBucketVersioning previously left versioning indeterminate and silently skipped the entire version surface. EE 0.15.4 degrades that path to a routed LOW evidence-gap (suppressed on BOE).

All new failure paths reuse the existing "S3 object-ACL evidence-gap" substring anchor on SOC 2 CC7.1 and HIPAA §164.312(b) — zero framework JSON edits. ListObjectVersions AccessDenied names the distinct s3:ListBucketVersions IAM action. Per-version GetObjectAcl failures aggregate over the existing threshold. Conservative-classifier principle: unverifiable ≠ clean.

All six matrices UNCHANGED

SOC 2 10/4/33 · HIPAA 7/3/45 · NIST CSF 2.0 13/10/83 · PCI DSS 20/8/39 · ISO/IEC 27001:2022 17/14/62 · CIS Controls v8 17/22/114 — verified unchanged. The WRITE-class enrichment is descriptive context on an already-routed finding, intentionally NOT a routable emission.

Live AWS smoke — all 4 spot-checks PASS

Against an internal test account in us-east-1: (v1) a V1 public-read object overwritten by a private V2 emitted CRITICAL on the non-current version, with the U+2013 en-dash bytes preserved end-to-end through the real AWS API and GetObjectAcl carrying the VersionId; (v2) a public-read-write object produced the WRITE-class enrichment and counter; (v3) the 0.15.3 current-object regression remained intact; (v4) the versioning gate invoked ListObjectVersions. A published-build re-smoke off the live npm tarball reproduced all four results.

Trio publish

EE 0.15.4 ships as the forty-second consecutive trio-publish alongside CE 0.1.85 and agent-skill 0.1.52. Install:

npm install -g nsauditor-ai@latest @nsasoft/nsauditor-ai-ee@latest nsauditor-ai-agent-skill@latest

The hexa-framework one-scan workflow remains: --compliance soc2,hipaa,nist-csf,pci-dss,iso-27001,cis-v8 produces six separate auditor-ready evidence packs from a single scan. Zero data exfiltration — all evidence stays inside your infrastructure.

Full release notes: NSAuditor AI Enterprise Edition.