Package evidence

@edihasaj/[email protected]

Credential file access: matched ".azure"

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@edihasaj/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@edihasaj/[email protected]"],"fail_on":"high"}'

Publisherapplifyer

Artifact bytes3,302,616

Previous version0.6.7

Published2026-05-24T09:09:51.037Z

SHA-256daa0762fc2e60c328a41b7181dc2283b37772283e51c101eb103a63189048da9

Why flagged

What the scanner saw

Credential file access: matched ".azure"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

20d agoLast checked

highRisk

99Score

0.7.1Version

Status history (1 event)

new → available20d ago · risk high · score 99 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

applifyer

2 members · evidence strength 61

Evidence

Static findings

12 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Credential file access	package/dist/chunk-DNFKAHS6.js	matched ".azure"	30
high	Credential file access	package/dist/cli.js	matched ".azure"	30
medium	Obfuscation Density	package/dist/chunk-PH6YNVHR.js	high encoded/escaped-token density	12

Show all 12 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
high	Credential file access	package/dist/chunk-DNFKAHS6.js	matched ".azure"	30
high	Credential file access	package/dist/cli.js	matched ".azure"	30
medium	Obfuscation Density	package/dist/chunk-PH6YNVHR.js	high encoded/escaped-token density	12
low	Obfuscation	package/dist/chunk-CPOANMKD.js	matched "\\u2014"	3
low	Obfuscation	package/dist/chunk-DNFKAHS6.js	matched "\\xB7"	3
low	Obfuscation	package/dist/chunk-GNXTOM5K.js	matched "\\u2026"	3
low	Obfuscation	package/dist/chunk-PG2ZVVAT.js	matched "\\u2019"	3
low	Obfuscation	package/dist/chunk-PH6YNVHR.js	matched "\\u2192"	3
low	Obfuscation	package/dist/chunk-YL23MKB3.js	matched "\\u2192"	3
low	Obfuscation	package/dist/cli.js	matched "\\u2014"	3
low	Obfuscation	package/dist/daemon.js	matched "\\u2014"	3
low	Obfuscation	package/dist/usage-YBS74UEU.js	matched "\\u2192"	3

Manifest

Package metadata

Scripts17

bench:loadtsx benchmark/load.ts
bench:seedtsx benchmark/seed.ts
buildtsup && npm run webui:build && node -e "const f='dist/cli.js';const c=require('fs').readFileSync(f,'utf8');if(!c.startsWith('#!'))require('fs').writeFileSync(f,'#!/usr/bin/env node\n'+c);require('fs').chmodSync(f,0o755)"
build:appbash scripts/build-app.sh
db:generatedrizzle-kit generate
db:pushdrizzle-kit migrate
demo:recordbash scripts/record-demo.sh
devtsup --watch
docs:checknode scripts/check-docs-site.mjs
docs:ognpx -y playwright screenshot --viewport-size=1200,630 --wait-for-timeout 1800 file://$PWD/docs/og.html docs/og-image.png
homebrew:casknode scripts/render-homebrew-cask.mjs
install:appbash scripts/install-app.sh
testvitest run
test:watchvitest
typechecktsc --noEmit
webui:buildcd webui && (test -d node_modules || npm install --no-audit --no-fund) && npm run build
webui:devcd webui && npm run dev

Dependencies7

@huggingface/transformers^4.1.0
@modelcontextprotocol/sdk^1.12.1
better-sqlite3^11.8.1
commander^13.1.0
drizzle-orm^0.45.2
sqlite-vec^0.1.9
zod^3.24.4