npm · registry.npmjs.org

@rsb1813/sharpclaw

Webhook Exfil Endpoint: matched "api.telegram.org/bot"

Why PkgRadar flagged 2026.6.3

Severity	Signal	Evidence
high	Webhook Exfil Endpoint	matched "api.telegram.org/bot" · package/dist/i18n-C0k1rM_n.js
high	New Account With Lifecycle Hook	package first published 0 day(s) ago, 2 total version(s), has lifecycle hook · package.json
medium	Credential file access	matched ".npmrc" · package/dist/install-package-dir-N-Rn40jr.js
medium	Credential file access	matched ".npmrc" · package/dist/npm-install-env-CSqfL5Dl.js
medium	Credential file access	matched ".npmrc" · package/dist/npm-managed-root-CXoJMYTJ.js

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`2026.6.3`	High risk	133	2026-06-18
`2026.6.2`	High risk	133	2026-06-18

Block this in CI

PkgRadar gates @rsb1813/sharpclaw (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @rsb1813/[email protected]