Package evidence

@brutalstrikedevs/[email protected]

Webhook Exfil Endpoint: matched "api.telegram.org/bot"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 1
First published: May 2026
Publisher: brutalstrikedevs

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@brutalstrikedevs/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@brutalstrikedevs/[email protected]"],"fail_on":"high"}'

Publisherbrutalstrikedevs

Artifact bytes1,296,096

Previous versionnone

Published2026-05-28T07:12:41.725Z

SHA-256063e0718234b8838573b59f9a6ef9ecaa77b53dcea9efb36721f99326ffdc75a

Why flagged

What the scanner saw

Webhook Exfil Endpoint: matched "api.telegram.org/bot"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

3d agoLast checked

highRisk

45Score

0.1.91Version

Status history (5 events)

available → available3d ago · risk high · score 45 · status available -> available, risk high -> high, score 31 -> 45
available → available3d ago · risk high · score 31 · status available -> available, risk high -> high, score 45 -> 31
available → available10d ago · risk high · score 45 · status available -> available, risk high -> high, score 31 -> 45
available → available14d ago · risk high · score 31 · status available -> available, risk high -> high, score 57 -> 31
new → available16d ago · risk high · score 57 · status changed

Evidence

Static findings

4 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Webhook Exfil Endpoint	package/dist-cli/index.js	matched "api.telegram.org/bot"	40
high	New Account With Lifecycle Hook	package.json	package first published 13 day(s) ago, 1 total version(s), has lifecycle hook	25

Show all 4 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
high	Webhook Exfil Endpoint	package/dist-cli/index.js	matched "api.telegram.org/bot"	40
high	New Account With Lifecycle Hook	package.json	package first published 13 day(s) ago, 1 total version(s), has lifecycle hook	25
low	Install-time lifecycle script	package.json	postinstall="node scripts/fix-pty-native-build.cjs"	5
low	Obfuscation Density	package/dist-cli/index.js	high encoded/escaped-token density	0

Manifest

Package metadata

Scripts11

buildpnpm run build:frontend && pnpm run build:cli
build:clitsup
build:frontendvue-tsc --noEmit && vite build
devnode scripts/dev.cjs
dev2node scripts/dev-random-home.cjs
dev:openpnpm run build:cli && sh -c 'pnpm run dev & VPID=$!; node dist-cli/index.js --open-project "${1:-.}"; wait $VPID' --
postinstallnode scripts/fix-pty-native-build.cjs
previewvite preview
profile:browsernode scripts/profile-browser-runtime.cjs
profile:threadPROFILE_ROUTE='#/thread/019da7c0-4e12-7a91-837c-f7c11cc8ab6c' node scripts/profile-browser-runtime.cjs
test:unitvitest run

Dependencies9

@composio/client0.1.0-alpha.66
@xterm/addon-fit^0.11.0
@xterm/xterm^6.0.0
commander^13.1.0
express^5.1.0
firebase^12.2.1
highlight.js^11.11.1
qrcode-terminal^0.12.0
ws^8.18.3