PkgRadar

npm · registry.npmjs.org

forge0x2b

Messenger Bot Endpoint: matched "hooks.slack.com/services/" — messenger-bot URL without exfil context (likely a notification handler)

Why PkgRadar flagged 1.0.0

SeveritySignalEvidence
highNew Lifecycle Script Vs Previouspostinstall added in 1.0.0 vs 0.10.3: "node scripts/copy-gif-worker.js" · package.json

Scanned versions

VersionVerdictScoreScanned (UTC)
1.0.0High risk602026-06-10
1.0.1Review202026-06-03
0.10.2Review202026-05-30
0.10.3Review202026-05-30

Campaign attribution

Part of the asteroiddao npm campaign campaign.

Block this in CI

PkgRadar gates forge0x2b (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]
Start free — 25 scans / moView full evidence