AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is a browser benefits application that calls its configured application backends and telemetry providers at runtime.
Static reason
No blocking static signals were detected.
Trigger
Browser loads `dist/index.html` and a user authenticates or interacts with the benefits application.
Impact
No install-time mutation, credential/file harvesting, shell execution, remote payload execution, or destructive behavior found.
Mechanism
Preact UI with configured authenticated API/OIDC requests and analytics telemetry.
Rationale
Read-only inspection found a conventional distributed browser application with expected backend, OIDC, analytics, and telemetry behavior. No concrete malicious chain or unconsented install-time control-surface mutation was found.
Evidence
package.jsondist/index.htmldist/config.jsondist/sw-esm.jsdist/assets/index-0c214a5b.jsdist/assets/vendor-a6810c59.jsdist/assets/datadog-8f3e89e5.jsREADME.md
Network endpoints6
cdn.segment.comwww.googletagmanager.comnpm-cdn.flarehr.comwww.flarehr.comwww.datadoghq-browser-agent.comwww.datad0g-browser-agent.com
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- `package.json` has no preinstall/install/postinstall hooks; prepare only installs a package-owned Husky hook.
- Shipped code is a Preact browser app loaded by `dist/index.html`, not a Node executable.
- `dist/config.json` contains application API/OIDC placeholders and Flare content configuration.
- Network code in `dist/assets/index-0c214a5b.js` uses configured APIs with authenticated app requests.
- `new Function` in `dist/assets/vendor-a6810c59.js` is bundled library/browser global and SVG script handling.
- Cookie and beacon calls in `dist/assets/datadog-8f3e89e5.js` are Datadog telemetry behavior.
Behavioral surface
ChildProcessEvalFilesystemNetwork
HighEntropyStringsMinifiedTelemetryUrlStrings
Source & flagged code
1 flagged · loading sourcedist/assets/vendor-a6810c59.jsView file
793L794: It is also possible the Google Analytics was blocked by your adblock plugin.`)};l.setupGaInstance=function(p,h,b){var _=typeof b=="string"?b:void 0;if(window.gtag){if(_||(_=functio...
L795: In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}var a,o=!0,u=!1;return{s:function(){n=n.call(e)},n:function(){var c=n.next();return o=c.done,c}...
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/assets/vendor-a6810c59.jsView on unpkg · L793Findings
2 Medium7 Low
MediumNetwork
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/assets/vendor-a6810c59.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings