registry  /  @reltio/pivoting  /  1.4.2322

@reltio/pivoting@1.4.2322

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established by static inspection. Runtime behavior is a bundled React pivoting/dashboard component using Reltio SDK/UI APIs and static asset fetches.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Importing bundle.js or rendering the exported React component.
Impact
No evidence of credential theft, file access, persistence, destructive behavior, protestware payload, or exfiltration.
Mechanism
UI rendering and package-aligned SDK/static asset fetches
Rationale
Scanner protestware labeling is not supported by source facts: the package contains a minified React UI bundle with expected dashboard/pivoting logic and static Reltio asset URLs, not install-time or hidden attack behavior. Suspicious primitive matches resolve to bundled library patterns such as RegExp.exec and globalThis fallbacks.
Evidence
package.jsonbundle.jsbundle.js.LICENSE.txt
Network endpoints2
reltio-images.s3.amazonaws.com/api/s3.amazonaws.com/reltio-ui-files/map_resources/us-albers.json

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has main bundle.js and no lifecycle scripts or bin entries.
    • bundle.js is a UMD React UI bundle importing MUI, React, Reltio mdm modules, and ui-i18n.
    • No child_process, process.env, document.cookie, localStorage/sessionStorage, filesystem writes, or shell execution found.
    • Regex hits for exec are RegExp.exec/parser code; Function/new Function are bundled globalThis fallbacks.
    • Network strings are static UI/docs/assets and package-aligned Reltio S3 map/image resources.
    • Observed API calls are Reltio dashboard/pivoting functions such as getActivities, getSegments, getFacets, getTotals.
    Behavioral surface
    Source
    ChildProcess
    Supply chain
    HighEntropyStringsMinifiedProtestwareTrivial
    Manifest
    NoLicense
    scanned 1 file(s), 1.56 MB of source

    Source & flagged code

    0 flagged
    No flagged code excerpts are attached to this scan.

    Findings

    1 Critical2 Low
    CriticalProtestware
    LowHigh Entropy Strings
    LowNo License