registry  /  @flarehr/apollo-benefits  /  1.4.19199

@flarehr/apollo-benefits@1.4.19199

Flare Benefits

AI Security Review

scanned 5h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a browser application with expected authentication, API, analytics, and first-party CDN integrations.

Static reason
No blocking static signals were detected.
Trigger
Browser loads dist/index.html and the application bundle.
Impact
No package-install mutation, credential harvesting, persistence, destructive action, or unconsented control-surface modification found.
Mechanism
Loads browser app configuration, authenticated backend requests, and analytics/first-party UI modules.
Rationale
Source inspection shows a bundled Flare Benefits browser client with normal OIDC bearer-token API use and analytics integrations. No concrete malicious behavior or install-time broad control-surface mutation was found.
Evidence
package.jsondist/index.htmldist/config.jsondist/assets/index-2788a143.jsdist/assets/vendor-a6810c59.jsdist/sw-esm.jsdist/assets/oidc-client-3a9688bc.js
Network endpoints5
www.googletagmanager.com/gtm.js?id=cdn.segment.com/analytics.js/v1/npm-cdn.flarehr.com/@flarehr/salpac-cars-calculator@__ENVIRONMENT/dist/salpac-cars-calculator.jsnpm-cdn.flarehr.com/@flarehr/apollo-customer-workplace-link@__ENVIRONMENT/build/bundle.esm.jsnpm-cdn.flarehr.com/@flarehr/benefits-plan-assessment@__ENVIRONMENT/dist/benefits-plan-assessment.js

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json only defines a prepare hook for Husky setup; no install/preinstall/postinstall hook.
    • dist/assets/index-2788a143.js is a browser benefits app that loads config and makes bearer-authenticated API requests.
    • dist/sw-esm.js only unregisters an existing service worker and reloads clients.
    • No child-process, filesystem, environment-harvesting, or AI-agent-control writes found in package files.
    • vendor Function calls are bundled dependency code; no concrete payload or attacker-controlled execution chain established.
    Behavioral surface
    Source
    ChildProcessEvalFilesystemNetwork
    Supply chain
    HighEntropyStringsMinifiedTelemetryUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 9 file(s), 1.15 MB of source, external domains: bit.ly, d20xtzwzcl0ceb.cloudfront.net, d3uc069fcn7uxw.cloudfront.net, docs.datadoghq.com, embed.typeform.com, fb.me, github.com, www.datad0g-browser-agent.com, www.datadoghq-browser-agent.com, www.flarehr.com, www.w3.org

    Source & flagged code

    1 flagged · loading source
    dist/assets/vendor-a6810c59.jsView file
    793L794: It is also possible the Google Analytics was blocked by your adblock plugin.`)};l.setupGaInstance=function(p,h,b){var _=typeof b=="string"?b:void 0;if(window.gtag){if(_||(_=functio... L795: In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}var a,o=!0,u=!1;return{s:function(){n=n.call(e)},n:function(){var c=n.next();return o=c.done,c}...
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    dist/assets/vendor-a6810c59.jsView on unpkg · L793

    Findings

    2 Medium7 Low
    MediumNetwork
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowEvaldist/assets/vendor-a6810c59.js
    LowFilesystem
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings