registry  /  @flarehr/promoted-benefits-ui  /  1.0.1020

@flarehr/promoted-benefits-ui@1.0.1020

Flare Promoted Benefits

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. This is a browser UI that obtains configuration from its same-origin path, calls configured benefits APIs with the active user token, reports telemetry, and notifies its embedding parent of layout/session state.

Static reason
No blocking static signals were detected.
Trigger
Loading dist/index.html in a browser.
Impact
Normal promoted-benefits rendering, authenticated API access, analytics, and outbound promotional navigation.
Mechanism
Browser UI API calls, telemetry initialization, and iframe parent notifications.
Rationale
Source inspection shows a packaged Preact/Vite browser widget with expected authenticated benefits requests and Datadog telemetry. No concrete install-time mutation, exfiltration chain, remote payload execution, persistence, or destructive behavior was found.
Evidence
package.jsondist/index.htmldist/assets/index-C3A79HTM.jsREADME.mddist/assets/index-BKQX8kED.css
Network endpoints2
www.datadoghq-browser-agent.com/us1/v5/datadog-rum.jseconnex.com.au/?rc=862160&utm_source=promoted_benefits&utm_medium=fallback&utm_campaign=energy_alwayson&utm_content=energy_intialoffer

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/index.html loads Datadog RUM.
  • dist/assets/index-C3A79HTM.js sends authenticated benefit and telemetry requests to runtime-configured endpoints.
  • dist/assets/index-C3A79HTM.js uses window.parent.postMessage with wildcard target origin.
Evidence against
  • package.json has no preinstall, install, or postinstall hook.
  • package.json's prepare hook only invokes husky; no hook configuration is packaged.
  • No child-process, eval, dynamic code loading, credential harvesting, filesystem access, or persistence code found.
  • Bundle posts only resize and session-expiry notifications to its embedding parent.
  • The external Econnex URL is a visible promotional action, not a payload source.
Behavioral surface
Source
Network
Supply chain
HighEntropyStringsMinifiedTrivialUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 31.2 KB of source, external domains: econnex.com.au, github.com, www.w3.org

Source & flagged code

2 flagged · loading source
dist/assets/index-C3A79HTM.jsView file
Published source reference
Low
Ai Review Evidence

dist/assets/index-C3A79HTM.js sends authenticated benefit and telemetry requests to runtime-configured endpoints.

dist/assets/index-C3A79HTM.jsView on unpkg
Published source reference
Low
Ai Review Evidence

dist/assets/index-C3A79HTM.js uses window.parent.postMessage with wildcard target origin.

dist/assets/index-C3A79HTM.jsView on unpkg

Findings

1 Medium7 Low
MediumNetwork
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowAi Review Evidence
LowAi Review Evidencedist/assets/index-C3A79HTM.js
LowAi Review Evidencedist/assets/index-C3A79HTM.js