registry  /  @flarehr/apollo-benefits  /  0.4.20665

@flarehr/apollo-benefits@0.4.20665

Flare Benefits

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The only non-runtime mutation surface is the `prepare` lifecycle hook. It invokes Husky setup for a parent-project Git hook directory; no concrete malicious hook contents are packaged.

Static reason
No blocking static signals were detected.
Trigger
npm lifecycle execution of `prepare`, such as source/development installation.
Impact
May configure development VCS hooks; no payload, persistence beyond Husky hooks, or exfiltration was confirmed.
Mechanism
Prepare-time Husky Git-hook setup targeting a parent project path.
Rationale
Source inspection found a prepare-only Husky setup command that crosses into a parent project path, which warrants a warning under the lifecycle policy. The distributed browser code otherwise shows ordinary application authentication, API, and analytics behavior without a concrete malicious chain.
Evidence
package.jsondist/sw-esm.jsdist/index.htmldist/config.jsondist/assets/index-f2d12afc.jsdist/assets/index-e3b6610a.jsdist/assets/vendor-a6810c59.jsdist/assets/oidc-client-3a9688bc.jsdist/assets/datadog-92341ed7.js

Decision evidence

public snapshot
AI called this Suspicious at 83.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `package.json` defines a `prepare` lifecycle command.
  • That command invokes Husky installation and targets `../benefits-client/.husky`, outside the package directory.
Evidence against
  • Published contents are a browser application under `dist/`, not an installer payload.
  • No `preinstall`, `install`, or `postinstall` hook is present.
  • `dist/sw-esm.js` deregisters an existing service worker rather than persisting one.
  • Runtime networking is app/analytics aligned: Flare, Google Tag Manager, Segment, and configured API/OIDC endpoints.
  • No source evidence of shell payload execution, credential harvesting, exfiltration, or AI-agent control-surface writes.
Behavioral surface
Source
ChildProcessEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 1.15 MB of source, external domains: bit.ly, d20xtzwzcl0ceb.cloudfront.net, d3uc069fcn7uxw.cloudfront.net, docs.datadoghq.com, embed.typeform.com, fb.me, github.com, www.datad0g-browser-agent.com, www.datadoghq-browser-agent.com, www.flarehr.com, www.w3.org

Source & flagged code

1 flagged · loading source
dist/assets/vendor-a6810c59.jsView file
793L794: It is also possible the Google Analytics was blocked by your adblock plugin.`)};l.setupGaInstance=function(p,h,b){var _=typeof b=="string"?b:void 0;if(window.gtag){if(_||(_=functio... L795: In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}var a,o=!0,u=!1;return{s:function(){n=n.call(e)},n:function(){var c=n.next();return o=c.done,c}...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/assets/vendor-a6810c59.jsView on unpkg · L793

Findings

2 Medium7 Low
MediumNetwork
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/assets/vendor-a6810c59.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings