registry  /  @flarehr/apollo-benefits  /  1.4.18560

@flarehr/apollo-benefits@1.4.18560

Flare Benefits

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed attack surface beyond normal browser application runtime. The package is a built Flare Benefits frontend that performs auth/API/analytics requests when loaded in a browser.

Static reason
No blocking static signals were detected.
Trigger
Browser loads dist/index.html; prepare may run only during source install workflows.
Impact
No install-time compromise, credential harvesting, remote payload execution by npm lifecycle, persistence, or destructive behavior found.
Mechanism
Vite-built frontend app with OIDC, telemetry, CDN-loaded Flare modules, and API calls
Rationale
Static inspection shows a normal frontend package with a prepare-only Husky setup command and bundled browser assets; scanner network/eval hints are attributable to ordinary web app libraries and configured runtime integrations. No concrete malicious install-time, import-time, exfiltration, persistence, destructive, or AI-agent control-surface behavior is present.
Evidence
package.jsonREADME.mddist/index.htmldist/config.jsondist/manifest.jsondist/sw-esm.jsdist/assets/index-6b5e9b6c.jsdist/assets/vendor-a6810c59.jsdist/assets/oidc-client-3a9688bc.jsdist/assets/datadog-aea8b9dd.js../benefits-client/.husky
Network endpoints8
www.flarehr.com/cars/calculatorwww.googletagmanager.com/gtm.jswww.googletagmanager.com/ns.htmlcdn.segment.com/analytics.js/v1/rsms.me/inter/inter.cssnpm-cdn.flarehr.com/@flarehr/salpac-cars-calculator@__ENVIRONMENT/dist/salpac-cars-calculator.jsnpm-cdn.flarehr.com/@flarehr/apollo-customer-workplace-link@__ENVIRONMENT/build/bundle.esm.jsnpm-cdn.flarehr.com/@flarehr/benefits-plan-assessment@__ENVIRONMENT/dist/benefits-plan-assessment.js

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
  • No confirmed malicious behavior identified
Evidence against
  • package.json has only prepare lifecycle: cd .. && husky install benefits-client/.husky; no preinstall/install/postinstall hook
  • No bin/main/module entrypoints in package.json; published files are dist-only browser assets
  • dist/index.html loads Google Tag Manager, Segment, Inter CSS, and three flarehr npm-cdn modules for app features
  • dist/config.json contains deployment placeholders plus Flare/contentful configuration, not host filesystem or npm credential targets
  • dist/sw-esm.js only unregisters the current service worker and reloads clients
  • Search found browser library storage/fetch/telemetry code, not child_process/fs/env harvesting or AI-agent control writes
Behavioral surface
Source
ChildProcessEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 1.15 MB of source, external domains: bit.ly, d20xtzwzcl0ceb.cloudfront.net, d3uc069fcn7uxw.cloudfront.net, docs.datadoghq.com, embed.typeform.com, fb.me, github.com, www.datad0g-browser-agent.com, www.datadoghq-browser-agent.com, www.flarehr.com, www.w3.org

Source & flagged code

1 flagged · loading source
dist/assets/vendor-a6810c59.jsView file
793L794: It is also possible the Google Analytics was blocked by your adblock plugin.`)};l.setupGaInstance=function(p,h,b){var _=typeof b=="string"?b:void 0;if(window.gtag){if(_||(_=functio... L795: In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}var a,o=!0,u=!1;return{s:function(){n=n.call(e)},n:function(){var c=n.next();return o=c.done,c}...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/assets/vendor-a6810c59.jsView on unpkg · L793

Findings

2 Medium7 Low
MediumNetwork
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/assets/vendor-a6810c59.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings