registry  /  @addressiq/iqcollect-web  /  0.4.0

@addressiq/iqcollect-web@0.4.0

AddressIQ IQCollect web SDK — address collection only. For verification use the mobile SDKs.

AI Security Review

scanned 9h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The browser SDK loads Google Maps and sends consented address-collection data to fixed AddressIQ endpoints after consumer activation.

Static reason
One or more suspicious static signals were detected.
Trigger
A host application constructs `IQCollect`, calls `open()`, and a user proceeds through the address/location flow.
Impact
Expected collection of address and location data for the SDK's stated function; no install-time or covert host compromise established.
Mechanism
Browser address collection, geolocation, and fixed-host API requests.
Rationale
Direct inspection shows a user-invoked browser address-collection widget with fixed platform and Maps integrations, not malicious package behavior. The scanner's secret/network signals correspond to documented Maps configuration and the package's core API flow.
Evidence
package.jsonREADME.mddist/index.cjs.jsdist/index.esm.jsdist/index.d.tsdist/index.cjs.js.map
Network endpoints6
api.addressiqpro.comapi-staging.addressiqpro.comlocalhost:3355maps.googleapis.com/maps/api/jsaddressiqpro.com/termsaddressiqpro.com/privacy

Decision evidence

public snapshot
AI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/index.cjs.js` embeds a Google Maps browser API key and loads the Maps script.
  • `dist/index.cjs.js` sends configured address, location, and user ID data to AddressIQ collection endpoints.
Evidence against
  • `package.json` has no preinstall/install/postinstall hooks or executable bin entry.
  • Runtime starts only when consumer constructs `IQCollect` and calls `open()`.
  • Network hosts are fixed AddressIQ environment URLs plus Google Maps, matching an address-collection SDK.
  • No child-process, filesystem, eval, dynamic loading, cookie harvesting, WebSocket, or persistence primitives found.
  • `dist/index.cjs.js` uses browser geolocation and address submission only through its visible UI/API flow.
  • The apparent secret is documented build configuration for the browser Maps integration, not a hidden credential harvester.
Behavioral surface
Source
Network
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 3 file(s), 198 KB of source, external domains: addressiqpro.com, api-staging.addressiqpro.com, api.addressiqpro.com, cdn.addressiqpro.com, docs.addressiqpro.com, maps.googleapis.com, www.w3.org

Source & flagged code

6 flagged · loading source
dist/index.cjs.jsView file
696patternName = google_api_key severity = high line = 696 matchedText = * `"AIza...tHub
High
High Secret

Package contains a high-severity secret pattern.

dist/index.cjs.jsView on unpkg · L696
696patternName = google_api_key severity = high line = 696 matchedText = * `"AIza...tHub
High
Secret Pattern

Google API key in dist/index.cjs.js

dist/index.cjs.jsView on unpkg · L696
709patternName = google_api_key severity = high line = 709 matchedText = mapsKey:...y1w"
High
Secret Pattern

Google API key in dist/index.cjs.js

dist/index.cjs.jsView on unpkg · L709
dist/iqcollect.jsView file
1patternName = google_api_key severity = high line = 1 matchedText = !functio...y});
High
Secret Pattern

Google API key in dist/iqcollect.js

dist/iqcollect.jsView on unpkg · L1
dist/index.esm.jsView file
694patternName = google_api_key severity = high line = 694 matchedText = * `"AIza...tHub
High
Secret Pattern

Google API key in dist/index.esm.js

dist/index.esm.jsView on unpkg · L694
707patternName = google_api_key severity = high line = 707 matchedText = mapsKey:...y1w"
High
Secret Pattern

Google API key in dist/index.esm.js

dist/index.esm.jsView on unpkg · L707

Findings

6 High1 Medium4 Low
HighHigh Secretdist/index.cjs.js
HighSecret Patterndist/index.cjs.js
HighSecret Patterndist/index.cjs.js
HighSecret Patterndist/iqcollect.js
HighSecret Patterndist/index.esm.js
HighSecret Patterndist/index.esm.js
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License