Package evidence

@fased/[email protected]

Webhook Exfil Endpoint: matched "api.telegram.org/bot"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 284
Versions published: 5
First published: Jun 2026
Publisher: fased

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@fased/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@fased/[email protected]"],"fail_on":"review"}'

Publisherfased

Artifact bytes19,971,421

Previous version0.1.10

Published2026-06-20T01:35:25.632Z

SHA-256f30eed43833444c82c4a565142f4acfb0400c32454be93737acea6d9bdca4f3c

Why flagged

What the scanner saw

Webhook Exfil Endpoint: matched "api.telegram.org/bot"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

16h agoLast checked

reviewRisk

199Score

0.1.11Version

Status history (1 event)

new → available16h ago · risk review · score 199 · status changed

Evidence

Static findings

32 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Webhook Exfil Endpoint	package/dist/api-DLdLLQm_.js	matched "api.telegram.org/bot"	40
high	Webhook Exfil Endpoint	package/dist/api-uvDKewCP.js	matched "api.telegram.org/bot"	40
high	Webhook Exfil Endpoint	package/dist/plugin-sdk/index.js	matched "api.telegram.org/bot"	40
high	Webhook Exfil Endpoint	package/dist/onboard-channels-D8ENQiPK.js	matched "api.telegram.org/bot"	40
high	Webhook Exfil Endpoint	package/dist/onboard-channels-Doc5AjLd.js	matched "api.telegram.org/bot"	40
high	Webhook Exfil Endpoint	package/extensions/voice-call/src/webhook-security.test.ts	matched "ngrok-free.app"	40
high	Webhook Exfil Endpoint	package/extensions/voice-call/src/webhook-security.ts	matched "ngrok-free.app"	40
medium	Remote Payload	package/dist/api-DLdLLQm_.js	matched "api.telegram.org/bot"	12
medium	Remote Payload	package/dist/api-uvDKewCP.js	matched "api.telegram.org/bot"	12
medium	Remote Payload	package/dist/plugin-sdk/index.js	matched "api.telegram.org/bot"	12
medium	Suspicious Publish Context	manifest	{"package_age_days":2,"publisher":"fased","burst_same_day":1,"burst_week":1,"lure":null,"version_anomaly":false,"new_account":true}	10

Show all 32 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
high	Webhook Exfil Endpoint	package/dist/api-DLdLLQm_.js	matched "api.telegram.org/bot"	40
high	Webhook Exfil Endpoint	package/dist/api-uvDKewCP.js	matched "api.telegram.org/bot"	40
high	Webhook Exfil Endpoint	package/dist/plugin-sdk/index.js	matched "api.telegram.org/bot"	40
high	Webhook Exfil Endpoint	package/dist/onboard-channels-D8ENQiPK.js	matched "api.telegram.org/bot"	40
high	Webhook Exfil Endpoint	package/dist/onboard-channels-Doc5AjLd.js	matched "api.telegram.org/bot"	40
high	Webhook Exfil Endpoint	package/extensions/voice-call/src/webhook-security.test.ts	matched "ngrok-free.app"	40
high	Webhook Exfil Endpoint	package/extensions/voice-call/src/webhook-security.ts	matched "ngrok-free.app"	40
medium	Remote Payload	package/dist/api-DLdLLQm_.js	matched "api.telegram.org/bot"	12
medium	Remote Payload	package/dist/api-uvDKewCP.js	matched "api.telegram.org/bot"	12
medium	Remote Payload	package/dist/plugin-sdk/index.js	matched "api.telegram.org/bot"	12
medium	Suspicious Publish Context	manifest	{"package_age_days":2,"publisher":"fased","burst_same_day":1,"burst_week":1,"lure":null,"version_anomaly":false,"new_account":true}	10
low	Credential file access	package/dist/agent-scope-CLn_Ws3B.js	matched "GOOGLE_APPLICATION_CREDENTIALS"	5
low	Credential file access	package/dist/agent-scope-T2X-I1lP.js	matched "GOOGLE_APPLICATION_CREDENTIALS"	5
low	Credential file access	package/dist/agent-scope-VtywltNx.js	matched "GOOGLE_APPLICATION_CREDENTIALS"	5
low	Credential file access	package/dist/plugin-sdk/context-ZGnpCM_T.js	matched "GOOGLE_APPLICATION_CREDENTIALS"	5
low	Credential file access	package/dist/env-Dlz8aQHP.js	matched "GOOGLE_APPLICATION_CREDENTIALS"	5
low	Credential file access	package/dist/onboarding-BR7OHJ2H.js	matched ".ssh/"	5
low	Credential file access	package/dist/onboarding-Cxkh1WwH.js	matched ".ssh/"	5
low	Credential file access	package/dist/paths-tN5PnNK1.js	matched "GOOGLE_APPLICATION_CREDENTIALS"	5
low	Credential file access	package/dist/plugin-sdk/registry-BhjWgT6A.js	matched "GOOGLE_APPLICATION_CREDENTIALS"	5
low	Credential file access	package/dist/plugin-sdk/runtime-45bZMjLH.js	matched "GOOGLE_APPLICATION_CREDENTIALS"	5
low	Credential file access	package/dist/skills-clawhub-CBB2AUv6.js	matched ".npmrc"	5
low	Credential file access	package/dist/skills-clawhub-kuGAFKgL.js	matched ".npmrc"	5
low	Messenger Bot Endpoint	package/extensions/voice-call/src/providers/twilio.test.ts	matched "ngrok.app" — notification/dev-tunnel URL without exfil context	5
low	Large Javascript Payload	package/dist/control-ui/assets/app-wpJSg6bV.js	2200579 bytes	0
low	Large Javascript Payload	package/dist/auth-CmR3RRfx.js	4596442 bytes	0
low	Large Javascript Payload	package/dist/model-catalog-D4rEoh5e.js	4696002 bytes	0
low	Large Javascript Payload	package/dist/pi-embedded-Bqi9f0et.js	4593518 bytes	0
low	Large Javascript Payload	package/dist/pi-embedded-D2PqvAO_.js	4593672 bytes	0
low	Large Javascript Payload	package/dist/reply-CBhrmRrH.js	4696477 bytes	0
low	Large Javascript Payload	package/dist/plugin-sdk/reply-DvuHwHUJ.js	4605084 bytes	0
low	Large Javascript Payload	package/dist/plugin-sdk/status-6xupAoj-.js	4593612 bytes	0

Manifest

Package metadata

Scripts113

android:assemblecd apps/android && ./gradlew :app:assembleDebug
android:installcd apps/android && ./gradlew :app:installDebug
android:runcd apps/android && ./gradlew :app:installDebug && adb shell am start -n ai.fased.android/.MainActivity
android:testcd apps/android && ./gradlew :app:testDebugUnitTest
android:test:integrationFASED_LIVE_TEST=1 FASED_LIVE_ANDROID_NODE=1 vitest run --config vitest.live.config.ts src/gateway/android-node.capabilities.live.test.ts
buildpnpm build:app && pnpm build:plugin-sdk:dts && node --import tsx scripts/write-plugin-sdk-entry-dts.ts
build:apppnpm build:runtime && pnpm ui:build
build:fasttsdown --no-report --no-clean
build:fast:cleantsdown --no-report
build:plugin-sdk:dtstsc -p tsconfig.plugin-sdk.dts.json
build:runtimetsdown && pnpm build:runtime-assets
build:runtime-assetspnpm canvas:a2ui:bundle && node --import tsx scripts/canvas-a2ui-copy.ts && node --import tsx scripts/copy-hook-metadata.ts && node --import tsx scripts/copy-export-html-templates.ts && node --import tsx scripts/write-build-info.ts && node --import tsx scripts/write-cli-compat.ts
canvas:a2ui:bundlebash scripts/bundle-a2ui.sh
checkpnpm check:ci
check:cipnpm format:check && pnpm lint && pnpm lint:tmp:no-random-messaging && pnpm lint:tmp:channel-agnostic-boundaries && pnpm lint:tmp:no-raw-channel-fetch && pnpm lint:auth:no-pairing-store-group && pnpm lint:auth:pairing-account-scope && pnpm check:host-env-policy:swift
check:docspnpm format:docs:check && pnpm lint:docs && pnpm docs:check-links
check:host-env-policy:swiftnode scripts/generate-host-env-security-policy-swift.mjs --check
check:locnode --import tsx scripts/check-ts-max-loc.ts --max 500
check:strictpnpm tsgo
check:strict:baselinenode scripts/strict-baseline.mjs
check:strict:scopednode scripts/check-strict-scoped.mjs
deadcode:cipnpm deadcode:report:ci:knip && pnpm deadcode:report:ci:ts-prune && pnpm deadcode:report:ci:ts-unused
deadcode:knippnpm dlx knip --no-progress
deadcode:reportpnpm deadcode:knip; pnpm deadcode:ts-prune; pnpm deadcode:ts-unused
deadcode:report:ci:knipmkdir -p .artifacts/deadcode && pnpm deadcode:knip > .artifacts/deadcode/knip.txt 2>&1 || true
deadcode:report:ci:ts-prunemkdir -p .artifacts/deadcode && pnpm deadcode:ts-prune > .artifacts/deadcode/ts-prune.txt 2>&1 || true
deadcode:report:ci:ts-unusedmkdir -p .artifacts/deadcode && pnpm deadcode:ts-unused > .artifacts/deadcode/ts-unused-exports.txt 2>&1 || true
deadcode:ts-prunepnpm dlx ts-prune src extensions scripts
deadcode:ts-unusedpnpm dlx ts-unused-exports tsconfig.json --ignoreTestFiles --exitWithCount
devnode scripts/run-node.mjs
…and 83 more.

Dependencies60

@agentclientprotocol/sdk0.14.1
@aws-sdk/client-bedrock^3.1062.0
@buape/carbon0.0.0-beta-20260216184201
@clack/prompts^1.0.1
@discordjs/voice^0.19.0
@fedify/fedify^2.2.4
@grammyjs/runner^2.0.3
@grammyjs/transformer-throttler^1.2.1
@homebridge/ciao^1.3.5
@larksuiteoapi/node-sdk^1.66.1
@line/bot-sdk^10.6.0
@lydell/node-pty1.2.0-beta.3
@mariozechner/pi-agent-core0.55.1
@mariozechner/pi-ai0.55.1
@mariozechner/pi-coding-agent0.55.1
@mariozechner/pi-tui0.55.1
@modelcontextprotocol/sdk1.29.0
@mozilla/readability^0.6.0
@sinclair/typebox0.34.48
@slack/bolt^4.6.0
@slack/web-api^7.14.1
@snazzah/davey^0.1.9
@solana/web3.js^1.98.0
@whiskeysockets/baileys7.0.0-rc.9
ajv^8.18.0
chalk^5.6.2
chokidar^5.0.0
cli-highlight^2.1.11
commander^14.0.3
croner^10.0.1
…and 30 more.

Optional dependencies1

@discordjs/opus^0.10.0