npm · registry.npmjs.org

moonwork-openclaw

Webhook Exfil Endpoint: matched "ngrok.app"

Why PkgRadar flagged 2026.5.10

Severity	Signal	Evidence
high	Webhook Exfil Endpoint	matched "ngrok.app" · package/dist/dist-DT1k6JKx.js
high	Webhook Exfil Endpoint	matched "ngrok-free.app" · package/dist/guarded-json-api-BNNhQbkM.js
medium	Credential file access	matched ".npmrc" · package/dist/install-package-dir-B0jP67OI.js
medium	New Account With Lifecycle Hook	package first published 41 day(s) ago, 9 total version(s), has lifecycle hook · package.json

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`2026.5.10`	High risk	163	2026-06-16
`2026.5.18-beta.1`	High risk	163	2026-06-16
`2026.6.16-beta.1`	High risk	163	2026-06-16
`2026.5.24-beta.1`	High risk	163	2026-06-10
`2026.5.27-beta.1`	High risk	163	2026-06-10

Block this in CI

PkgRadar gates moonwork-openclaw (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]