Explicit CLI login automates Microsoft account authentication and persists browser session storage locally. A populated `auth.json` is included in the package and is loaded by authentication checks.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `microsoft-webauth login` or `check`.
Impact
Can handle account credentials and reuse shipped or newly saved authenticated session state.
Mechanism
Playwright credential automation and local browser-storage persistence.
Rationale
No concrete malicious execution or exfiltration chain is present, but shipping populated authentication storage alongside credential automation is unsafe dangerous capability and warrants a warning.
Evidence
package.jsonsrc/index.jssrc/auth.jssrc/config.jsauth.json.qwen/settings.jsonauth-meta.jsonsrc/utils/logger.js
Network endpoints2
onenote.cloud.microsoft/en-usoutlook.cloud.microsoft/mail/