AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is a React/Redux sales UI library; the scanner secret hit is a client-side Google Maps key used for map display, not credential harvesting or exfiltration.
Static reason
One or more suspicious static signals were detected.
Trigger
User imports/renders exported React components; some network activity occurs through app API hooks or user-clicked links.
Impact
Displays sales data and third-party map/assets links; no install-time mutation, persistence, or code execution found.
Mechanism
UI components and RTK Query endpoints for sales-service data
Rationale
Static inspection found ordinary React UI/Redux code with app-aligned endpoints and user-visible external links; the embedded Google Maps key is exposed but does not establish malicious behavior. There is no lifecycle execution, dangerous runtime primitive, payload loading, persistence, destructive action, or exfiltration chain.
Evidence
package.jsondist/index.jsdist/hooks/load/loadLastLocation.jsdist/redux/api/salesApi.jsdist/redux/api/docaiApi.jsdist/hooks/carrier/carrierActionBar.jsdist/hooks/lep/lepActionBar.js
Network endpoints7
www.google.com/maps/maps.googleapis.com/maps/api/staticmapstorage.googleapis.com/archer-public/service-levels/storage.googleapis.com/archer-app/mycarrierpackets.com/CarrierInformation/DOTNumber/accounting.wa.archer-app.com/kickbacksdocs.google.com/document/
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/hooks/load/loadLastLocation.js embeds a Google Maps API key in a staticmap image URL.
- Runtime UI can open Google Maps and other user-clicked third-party links.
Evidence against
- package.json has no preinstall/install/postinstall hooks; scripts are dev/build/test only.
- dist/index.js only re-exports entities, redux, hooks, and i18n modules.
- No child_process, fs, vm, eval, Function, process.env, or cookie access found in dist/package.json scan.
- dist/redux/api/salesApi.js and docaiApi.js use @nerdjs/nerd-network baseQuery for app-aligned API calls.
- No native binaries, shell scripts, wasm, or executable payload files found.
Behavioral surface
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/hooks/load/loadLastLocation.jsView file
117patternName = google_api_key
severity = high
line = 117
matchedText = }, onCli...}));
High
High Secret
Package contains a high-severity secret pattern.
dist/hooks/load/loadLastLocation.jsView on unpkg · L117117patternName = google_api_key
severity = high
line = 117
matchedText = }, onCli...}));
High
Secret Pattern
Google API key in dist/hooks/load/loadLastLocation.js
dist/hooks/load/loadLastLocation.jsView on unpkg · L117Findings
2 High3 Low
HighHigh Secretdist/hooks/load/loadLastLocation.js
HighSecret Patterndist/hooks/load/loadLastLocation.js
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings