AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious npm install/import attack surface was found. Runtime network behavior is a browser benefits app using configured Flare APIs, OIDC, analytics, Contentful, and Flare-owned CDN modules.
Static reason
No blocking static signals were detected.
Trigger
Browser loads dist/index.html or app routes after deployment; prepare runs only during package development/VCS install.
Impact
No evidence of credential harvesting, shell execution, persistence, destructive behavior, or unconsented agent control-surface mutation.
Mechanism
Vite-built Preact web application with OIDC auth and analytics
Rationale
Static inspection shows a packaged browser application with expected Flare Benefits API calls and third-party analytics, not install-time malware. The prepare hook is a husky development hook and there is no concrete exfiltration, shell execution, persistence, or broad AI-agent config mutation.
Evidence
package.jsondist/index.htmldist/config.jsondist/sw-esm.jsdist/assets/index-e900c0ab.jsdist/assets/datadog-0aa35f8a.js
Network endpoints8
www.flarehr.com/cars/calculatorwww.googletagmanager.com/gtm.jswww.googletagmanager.com/ns.htmlcdn.segment.com/analytics.js/v1/npm-cdn.flarehr.com/@flarehr/salpac-cars-calculator@__ENVIRONMENT/dist/salpac-cars-calculator.jsnpm-cdn.flarehr.com/@flarehr/apollo-customer-workplace-link@__ENVIRONMENT/build/bundle.esm.jsnpm-cdn.flarehr.com/@flarehr/benefits-plan-assessment@__ENVIRONMENT/dist/benefits-plan-assessment.jsdatadoghq.com
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall/install/postinstall; only prepare runs husky install for local VCS hooks.
- Published files are dist web app assets, config, manifest, icons, and service worker; no Node entrypoint or bin.
- dist/index.html loads Flare-owned npm-cdn modules plus Google Tag Manager and Segment analytics.
- dist/config.json contains Flare app configuration, Contentful public API key, and cars calculator URL.
- dist/assets/index-e900c0ab.js uses configured Flare backend APIs with bearer auth for normal app workflows.
- dist/sw-esm.js only unregisters the current service worker and navigates existing clients.
Behavioral surface
ChildProcessEvalFilesystemNetwork
HighEntropyStringsMinifiedTelemetryUrlStrings
Source & flagged code
1 flagged · loading sourcedist/assets/vendor-a6810c59.jsView file
793L794: It is also possible the Google Analytics was blocked by your adblock plugin.`)};l.setupGaInstance=function(p,h,b){var _=typeof b=="string"?b:void 0;if(window.gtag){if(_||(_=functio...
L795: In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}var a,o=!0,u=!1;return{s:function(){n=n.call(e)},n:function(){var c=n.next();return o=c.done,c}...
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/assets/vendor-a6810c59.jsView on unpkg · L793Findings
2 Medium7 Low
MediumNetwork
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/assets/vendor-a6810c59.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings