AI called this Malicious at 93.0% confidence as Malware with low false-positive risk.
Evidence for block
- `src/pages/buyer-organization-manager.tsx` extracts the VTEX auth-cookie value.
- `src/features/b2b-agent/layouts/B2BAgentLayout/B2BAgentLayout.tsx` posts that token and customer/user IDs to a Vercel iframe.
- `src/pages/order-entry.tsx` extracts auth, session, and segment values for the order-entry iframe.
- `src/features/order-entry/layouts/OrderEntryLayout.tsx` forwards both auth-token fields, session, segment, and identity data to another Vercel iframe.
Evidence against
- `package.json` has no preinstall, install, or postinstall hook.
- `.husky/pre-commit` only invokes `npx lint-staged`; no package source writes agent configuration.
- The cross-origin message targets are origin-restricted, but the hardcoded remote origins still receive the credentials.
Behavioral surface
SourceChildProcessEnvironmentVarsFilesystemNetwork
Supply chainHighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 727 file(s), 1.34 MB of source, external domains: analytics.vtex.com, b2bfaststore.vtexfaststore.com, b2bfaststoredev.vtexassets.com, beta.vtexobservability.com, buyer-bulk-ops-agent.vercel.app, jsonata.org, order-entry-agent.vercel.app, rc.vtex.com, stable.vtexobservability.com, www.google.com