AI Security Review
scanned 5d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a React/Redux sales UI library; observed network use is for app API calls, maps, documents, and static assets.
Static reason
One or more suspicious static signals were detected.
Trigger
runtime use of exported React hooks/components
Impact
No unauthorized execution, credential harvesting, persistence, or destructive behavior identified.
Mechanism
package-aligned UI rendering and Redux API queries
Rationale
Static inspection found exposed/embedded service URLs and a Google Maps key, but their use is visible UI functionality aligned with a sales/logistics component library. No install-time/import-time execution, shell execution, file harvesting, exfiltration, persistence, or AI-agent control-surface mutation was found.
Evidence
package.jsondist/index.jsdist/hooks/load/loadLastLocation.jsdist/redux/api/salesApi.jsdist/hooks/archerFilesDataGrid/archerFilesDataGrid.js
Network endpoints7
maps.googleapis.com/maps/api/staticmapwww.google.com/maps/storage.googleapis.com/archer-public/service-levels/storage.googleapis.com/archer-app/docs.google.com/document/mycarrierpackets.com/CarrierInformation/DOTNumber/accounting.wa.archer-app.com/kickbacks
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/hooks/load/loadLastLocation.js embeds a Google Maps API key in a staticmap URL.
- dist/hooks/archerFilesDataGrid/archerFilesDataGrid.js builds share links containing server-provided file tokens.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks or bin entry.
- dist/index.js only re-exports entities, redux, hooks, and i18n modules.
- dist/redux/api/salesApi.js uses @nerdjs/nerd-network base query for package-aligned sales API endpoints.
- No child_process, eval/new Function, filesystem writes, native binaries, or obfuscated payloads found in inspected JS.
- Google Maps and storage.googleapis.com URLs are UI/resource links, not exfiltration endpoints.
Behavioral surface
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/hooks/load/loadLastLocation.jsView file
102patternName = google_api_key
severity = high
line = 102
matchedText = }, onCli...}));
High
High Secret
Package contains a high-severity secret pattern.
dist/hooks/load/loadLastLocation.jsView on unpkg · L102102patternName = google_api_key
severity = high
line = 102
matchedText = }, onCli...}));
High
Secret Pattern
Google API key in dist/hooks/load/loadLastLocation.js
dist/hooks/load/loadLastLocation.jsView on unpkg · L102Findings
2 High3 Low
HighHigh Secretdist/hooks/load/loadLastLocation.js
HighSecret Patterndist/hooks/load/loadLastLocation.js
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings