registry  /  @flarehr/promoted-benefits-ui  /  1.0.1023

@flarehr/promoted-benefits-ui@1.0.1023

Flare Promoted Benefits

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The only lifecycle concern is a Husky `prepare` command that may set up VCS hooks in development contexts; no hook payload is shipped.

Static reason
No blocking static signals were detected.
Trigger
Development/install lifecycle invoking `prepare`; browser load and user promotion interactions.
Impact
Potential local VCS-hook setup; no destructive, exfiltration, remote-code, or AI-agent-control behavior confirmed.
Mechanism
Husky prepare hook plus browser promotion, OAuth, and telemetry requests.
Rationale
Source inspection found no concrete malicious chain. Per lifecycle policy, the `prepare`-time Husky hook setup warrants a non-blocking warning despite the absence of a shipped hook payload.
Evidence
package.jsondist/index.htmldist/assets/index-3g5dKfNH.jsREADME.md
Network endpoints2
www.datadoghq-browser-agent.com/us1/v5/datadog-rum.jseconnex.com.au/?rc=862160&utm_source=promoted_benefits&utm_medium=fallback&utm_campaign=energy_alwayson&utm_content=energy_intialoffer

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • package.json: `prepare` invokes Husky, a VCS-hook setup lifecycle command.
  • package.json: package ships only `dist/`; no package-owned hook scripts are present.
Evidence against
  • dist/assets/index-3g5dKfNH.js is a browser UI bundle with config, OAuth, promotion, and telemetry flows.
  • No preinstall/install/postinstall hook, shell execution, filesystem access, eval, dynamic code loading, or credential harvesting found.
  • dist/index.html loads Datadog RUM with masked user input; bundle telemetry targets runtime-configured package backend.
  • The Econnex URL is an explicit public promotion link opened by UI interaction.
Behavioral surface
Source
Network
Supply chain
HighEntropyStringsMinifiedTrivialUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 31.2 KB of source, external domains: econnex.com.au, github.com, www.w3.org

Source & flagged code

2 flagged · loading source
package.jsonView file
Published source reference
Medium
Suspicious Lifecycle Evidence

package.json: `prepare` invokes Husky, a VCS-hook setup lifecycle command.

package.jsonView on unpkg
Published source reference
Medium
Ai Review Evidence

package.json: package ships only `dist/`; no package-owned hook scripts are present.

package.jsonView on unpkg

Findings

3 Medium4 Low
MediumNetwork
MediumSuspicious Lifecycle Evidencepackage.json
MediumAi Review Evidencepackage.json
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings