PyPI · pypi.org

lnbits

Webhook Exfil Endpoint: matched "api.telegram.org/bot"

Why PkgRadar flagged 1.5.5rc2

Severity	Signal	Evidence
high	Webhook Exfil Endpoint	matched "api.telegram.org/bot" · lnbits-1.5.5rc2/lnbits/core/services/notifications.py
high	Credential File Packaged	lnbits-1.5.5rc2/.npmrc · lnbits-1.5.5rc2/.npmrc
medium	Remote Payload	matched "curl " · lnbits-1.5.5rc2/lnbits.sh
medium	Remote Payload	matched "curl " · lnbits-1.5.5rc2/docker/regtest/docker-scripts.sh
medium	Remote Payload	matched "wget " · lnbits-1.5.5rc2/lnbits/wallets/boltz_grpc_files/update.sh
medium	Remote Payload	matched "wget " · lnbits-1.5.5rc2/lnbits/wallets/lnd_grpc_files/update.sh

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`1.5.5rc2`	High risk	61	2026-06-04

Block this in CI

PkgRadar gates lnbits (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi lnbits==1.5.5rc2