registry  /  @flarehr/apollo-benefits  /  1.4.19109

@flarehr/apollo-benefits@1.4.19109

Flare Benefits

AI Security Review

scanned 5h ago · by lpm-firewall-ai

A prepare-time Husky setup can mutate a local VCS-hook directory when lifecycle scripts run. Browser runtime also loads configured application services and package-aligned third-party analytics/modules; no concrete malicious payload was found.

Static reason
No blocking static signals were detected.
Trigger
Git/local install that runs `prepare`; browser loading `dist/index.html`
Impact
Local Git hook setup; runtime dependency and telemetry trust exposure
Mechanism
Prepare-time VCS hook setup and browser remote-module loading
Rationale
Source inspection found a prepare-only Husky hook setup, which warrants a warning under the stated lifecycle policy. No concrete malware behavior or unconsented install-time AI-agent control-surface mutation was established.
Evidence
package.jsondist/index.htmldist/assets/index-b8d37dda.jsdist/assets/oidc-client-3a9688bc.jsdist/sw-esm.jsdist/config.json
Network endpoints3
www.googletagmanager.comcdn.segment.comnpm-cdn.flarehr.com

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` `prepare` runs `husky install` and targets a parent-project `.husky` path.
  • `dist/index.html` loads remote GTM, Segment, and FlareHR npm-CDN modules at browser runtime.
Evidence against
  • No `preinstall`, `install`, or `postinstall` lifecycle hook.
  • No child-process, filesystem-harvesting, credential-exfiltration, or destructive primitive found in shipped files.
  • `dist/assets/index-b8d37dda.js` uses JWTs for configured Flare Benefits API requests.
  • `dist/sw-esm.js` only unregisters an existing service worker.
Behavioral surface
Source
ChildProcessEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 1.15 MB of source, external domains: bit.ly, d20xtzwzcl0ceb.cloudfront.net, d3uc069fcn7uxw.cloudfront.net, docs.datadoghq.com, embed.typeform.com, fb.me, github.com, www.datad0g-browser-agent.com, www.datadoghq-browser-agent.com, www.flarehr.com, www.w3.org

Source & flagged code

1 flagged · loading source
dist/assets/vendor-a6810c59.jsView file
793L794: It is also possible the Google Analytics was blocked by your adblock plugin.`)};l.setupGaInstance=function(p,h,b){var _=typeof b=="string"?b:void 0;if(window.gtag){if(_||(_=functio... L795: In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}var a,o=!0,u=!1;return{s:function(){n=n.call(e)},n:function(){var c=n.next();return o=c.done,c}...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/assets/vendor-a6810c59.jsView on unpkg · L793

Findings

2 Medium7 Low
MediumNetwork
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/assets/vendor-a6810c59.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings