registry  /  @reltio/pivoting  /  1.4.2324

@reltio/pivoting@1.4.2324

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a bundled Reltio pivoting/dashboard UI component that runs when imported by an application.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Application imports or renders bundle.js.
Impact
No credential theft, arbitrary code execution, persistence, destructive behavior, or install-time mutation identified.
Mechanism
React UI components using host SDK APIs and benign map/image fetches
Rationale
Direct source inspection does not support the scanner's malicious/protestware label; suspicious strings resolve to ordinary bundled frontend libraries and UI terms. There is no lifecycle execution or concrete exfiltration/destructive/persistence behavior.
Evidence
package.jsonbundle.jsbundle.js.LICENSE.txt
Network endpoints2
reltio-images.s3.amazonaws.com/api/s3.amazonaws.com/reltio-ui-files/map_resources/us-albers.json

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no lifecycle scripts; main is bundle.js.
    • Package contains only package.json, bundle.js, and bundle.js.LICENSE.txt.
    • bundle.js is a UMD/webpack React UI bundle importing MUI, React, Reltio MDM modules, and UI helpers.
    • No child_process, fs/http native requires, env/credential harvesting, AI-agent config writes, or destructive file operations found.
    • Network use is limited to UI/runtime data loading, including Reltio/S3 image or map resources and host SDK calls.
    • Scanner protestware hint appears noisy: direct searches found no protest/Ukraine/Russia/Belarus terms; 'war' matches normal words like Forward/Backward.
    Behavioral surface
    Source
    ChildProcess
    Supply chain
    HighEntropyStringsMinifiedProtestwareTrivial
    Manifest
    NoLicense
    scanned 1 file(s), 1.56 MB of source

    Source & flagged code

    0 flagged
    No flagged code excerpts are attached to this scan.

    Findings

    1 Critical2 Low
    CriticalProtestware
    LowHigh Entropy Strings
    LowNo License