Package evidence

@hunvreus/[email protected]

Remote Payload: matched "api.telegram.org/bot"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 4
First published: May 2026
Publisher: hunvreus

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@hunvreus/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@hunvreus/[email protected]"],"fail_on":"review"}'

Publisherhunvreus

Artifact bytes340,697

Previous version0.1.2

Published2026-06-04T15:22:07.052Z

SHA-256806f703b5a0608a77002ded90ff09c2c61dc28bd81e28edabbd5d2a925fc082b

Why flagged

What the scanner saw

Remote Payload: matched "api.telegram.org/bot"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

8d agoLast checked

reviewRisk

17Score

0.1.3Version

Status history (1 event)

new → available8d ago · risk review · score 17 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/dist/cli.js	matched "api.telegram.org/bot"	12

Show all 2 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
medium	Remote Payload	package/dist/cli.js	matched "api.telegram.org/bot"	12
low	Messenger Bot Endpoint	package/dist/cli.js	matched "api.telegram.org/bot" — messenger-bot URL without exfil context (likely a notification handler)	5

Manifest

Package metadata

Scripts14

buildrm -rf dist && pnpm run build:secret-css && tsc -p tsconfig.build.json && mkdir -p dist/drizzle dist/core/assets && cp drizzle/*.sql dist/drizzle/ && cp src/core/assets/secret.css dist/core/assets/secret.css && pnpm run build:admin-assets
build:admin-assetsmkdir -p dist/admin && cp -R src/admin/assets dist/admin/
build:admin-cssmkdir -p src/admin/assets && tailwindcss -i src/admin/style.css -o src/admin/assets/admin.css --minify && cp node_modules/basecoat-css/dist/js/all.min.js src/admin/assets/basecoat.all.min.js
build:secret-cssmkdir -p src/core/assets && tailwindcss -i src/core/secret.css -o src/core/assets/secret.css --minify
checkbiome check .
db:generatedrizzle-kit generate
dev:admin-cssmkdir -p src/admin/assets && tailwindcss -i src/admin/style.css -o src/admin/assets/admin.css --watch
fmtbiome format --write .
heypitsx --conditions development src/cli.ts
pack:drynpm pack --dry-run
prepackpnpm run build
publish:drynpm publish --dry-run --access public
testpnpm run build && node --import tsx --test tests/*.test.ts
typecheckpnpm run build && tsc --noEmit

Dependencies11

@earendil-works/pi-coding-agent^0.75.5
@libsql/client^0.17.3
@sinclair/typebox^0.34.49
@slack/bolt^4.7.2
cac^7.0.0
croner^10.0.1
discord.js^14.26.4
drizzle-orm^0.45.2
just-bash^3.0.1
picocolors^1.1.1
unbash3.0.0