registry  /  @flarehr/apollo-benefits  /  0.4.20649

@flarehr/apollo-benefits@0.4.20649

Flare Benefits

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The prepare hook can configure Husky hooks in a sibling `benefits-client/.husky` directory. No concrete malicious runtime or exfiltration behavior was established.

Static reason
No blocking static signals were detected.
Trigger
npm lifecycle execution of `prepare` in the expected parent-project layout
Impact
May modify a sibling repository's Husky hook configuration during prepare.
Mechanism
prepare-time VCS hook setup outside the package directory
Rationale
No concrete malicious chain was found, but the prepare lifecycle hook mutates an external sibling hook directory. Treat it as a non-blocking lifecycle-risk warning.
Evidence
package.jsondist/index.htmldist/config.jsondist/sw-esm.js../benefits-client/.husky
Network endpoints3
npm-cdn.flarehr.comwww.googletagmanager.comcdn.segment.com

Decision evidence

public snapshot
AI called this Suspicious at 89.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `package.json` defines `prepare`: `cd .. && husky install benefits-client/.husky`.
  • The hook targets a sibling project directory outside the package root.
Evidence against
  • No `preinstall`, `install`, or `postinstall` hook is declared.
  • Published files are a browser app under `dist/`; no Node package entrypoint is declared.
  • No package source evidence of credential harvesting, filesystem reads, shell payloads, or AI-agent config writes.
  • `dist/index.html` remote modules and analytics are application-runtime integrations, not install-time execution.
Behavioral surface
Source
ChildProcessEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 1.15 MB of source, external domains: bit.ly, d20xtzwzcl0ceb.cloudfront.net, d3uc069fcn7uxw.cloudfront.net, docs.datadoghq.com, embed.typeform.com, fb.me, github.com, www.datad0g-browser-agent.com, www.datadoghq-browser-agent.com, www.flarehr.com, www.w3.org

Source & flagged code

1 flagged · loading source
dist/assets/vendor-a6810c59.jsView file
793L794: It is also possible the Google Analytics was blocked by your adblock plugin.`)};l.setupGaInstance=function(p,h,b){var _=typeof b=="string"?b:void 0;if(window.gtag){if(_||(_=functio... L795: In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}var a,o=!0,u=!1;return{s:function(){n=n.call(e)},n:function(){var c=n.next();return o=c.done,c}...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/assets/vendor-a6810c59.jsView on unpkg · L793

Findings

2 Medium7 Low
MediumNetwork
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/assets/vendor-a6810c59.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings