AI called this Suspicious at 82.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- `dist/ciam.js` sends caller-supplied `msisdn` to `xl-ku.my.id`.
- The quota request is an unencrypted query-string GET containing the phone number.
- `xl-ku.my.id` differs from the package’s primary `xlaxiata.co.id` API hosts.
Evidence against
- `package.json` has only a `prepublishOnly` hook, not install-time hooks.
- No filesystem access, child processes, dynamic code execution, or persistence primitives found.
- The network call is limited to the explicit exported `checkQuota(msisdn)` function.
- Other API calls use the configured MyXL/XLAxiata endpoints and caller-provided tokens.
Behavioral surface
Supply chainHighEntropyStringsUrlStrings
ManifestNoLicenseWildcardDependency
scanned 25 file(s), 259 KB of source, external domains: api.myxl.xlaxiata.co.id, gede.ciam.xlaxiata.co.id, xl-ku.my.id