Package evidence

[email protected]

Credential file access: matched ".azure"

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"high"}'

Publisher0-code

Artifact bytes532,741

Previous version3.9.0

Published2026-05-24T19:08:17.726Z

SHA-2563a7de32f30c1dfea637212ac831a4e704a4548dfe1103400f496721298fa39e1

Why flagged

What the scanner saw

Credential file access: matched ".azure"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

24d agoLast checked

highRisk

102Score

3.9.1Version

Status history (1 event)

new → available24d ago · risk high · score 102 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

0-code

6 members · evidence strength 82

Evidence

Static findings

7 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Credential file access	package/lib/intake/adapters/excel-m365.cjs	matched ".azure"	30
high	Credential file access	package/lib/google-slides-exporter.cjs	matched "GOOGLE_APPLICATION_CREDENTIALS"	30
high	Credential file access	package/lib/intake/setup-wizard.cjs	matched ".azure"	30

Show all 7 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
high	Credential file access	package/lib/intake/adapters/excel-m365.cjs	matched ".azure"	30
high	Credential file access	package/lib/google-slides-exporter.cjs	matched "GOOGLE_APPLICATION_CREDENTIALS"	30
high	Credential file access	package/lib/intake/setup-wizard.cjs	matched ".azure"	30
low	Obfuscation	package/lib/intake/adapters/excel-m365.cjs	matched "fromCharCode"	3
low	Obfuscation	package/bin/viepilot.cjs	matched "\\x1B"	3
low	Obfuscation	package/bin/vp-tools.cjs	matched "\\x1b"	3
low	Obfuscation	package/lib/intake/writeback.cjs	matched "fromCharCode"	3

Manifest

Package metadata

Scripts10

lint:clinode --check bin/vp-tools.cjs && node --check bin/viepilot.cjs
prepublishOnlynpm run verify:release
readme:syncnode scripts/sync-readme-metrics.cjs
release:checklistnode scripts/release-checklist.cjs
smoke:publishednode scripts/smoke-published.cjs
testjest
test:coveragejest --coverage
test:watchjest --watch
verify:releasenpm run lint:cli && npm test && npm pack --dry-run
verify:ui-directionnode scripts/verify-ui-direction-pages.cjs

Dependencies3

docx^9.0.0
pptxgenjs^3.12.0
xlsx^0.18.5

Optional dependencies1

@googleapis/slides^1.0.0