Package evidence
@parad0x_labs/[email protected]
Messenger Bot Endpoint: matched "api.telegram.org/bot" — messenger-bot URL without exfil context (likely a notification handler)
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 1
- First published
- May 2026
- Publisher
- loop22
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@parad0x_labs/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@parad0x_labs/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Messenger Bot Endpoint: matched "api.telegram.org/bot" — messenger-bot URL without exfil context (likely a notification handler)
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 5 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
No high-signal findings — see all findings below.
Show all 1 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| low | Messenger Bot Endpoint | package/dist/monitoring/telegramAlert.js | matched "api.telegram.org/bot" — messenger-bot URL without exfil context (likely a notification handler) | 5 |
Manifest
Package metadata
Scripts73
acceptance:agentstsx ../examples/agent-wallet-client-ts/test/acceptance.test.ts && tsx ../examples/paper-polymarket-agent-ts/test/acceptance.test.ts && tsx ../examples/copy-settings-ts/test/acceptance.test.ts && tsx ../examples/alpha-monetization-ts/test/acceptance.test.ts && tsx ../examples/copied-lot-ledger-ts/test/acceptance.test.tsacceptance:buildervitest run tests/builder.launch-pack.test.tsacceptance:degen-modevitest run tests/degen-mode.test.tsalt:createtsx scripts/alt/create-alt.tsalt:extendtsx scripts/alt/extend-alt.tsalt:showtsx scripts/alt/show-alt.tsaudit:fulltsx scripts/audit/run-full-audit.tsaudit:prodtsx scripts/audit/run-prod-audit.tsaudit:programmabletsx scripts/audit/run-programmability-audit.tsbench:computetsx scripts/bench/profile-flows.tsbench:footprinttsx scripts/bench/write-footprint-md.tsbench:txsizetsx scripts/bench/txsize-report.tsbridge:liquefytsx src/bridge/liquefy/cli.tsbridge:liquefy:livecurl -s http://localhost:8080/admin/audit/export | tsx src/bridge/liquefy/cli.ts --stdin --out ./vault-staging/livebuildtsc -p tsconfig.jsoncheck:mainnet:betanode scripts/check-mainnet-beta-evidence.mjscheck:reponode scripts/check-repo-identity.mjsdb:backuptsx scripts/db/backup.tsdb:backup:testtsx scripts/db/backup-test.tsdb:backup:test:postgrestsx scripts/db/backup-postgres-test.tsdb:healthtsx scripts/db/health.tsdb:migratetsx scripts/db/migrate.tsdb:resettsx scripts/db/reset.tsdb:restoretsx scripts/db/restore.tsdb:seed:sandboxtsx scripts/db/seed-sandbox.tsdemo:buyertsx src/cli.ts demo buyerdemo:sellertsx src/cli.ts demo sellerdeploy:buffers:closetsx ../scripts/close-buffers.tsdeploy:estimatetsx ../scripts/estimate-deploy-cost.tsdeploy:ledgertsx ../scripts/deploy-ledger.ts- …and 43 more.
Dependencies10
@solana/web3.js^1.98.4@types/pg^8.20.0bn.js^5.2.3bs58^6.0.0cors^2.8.5dotenv^16.4.7express^5.2.1pg^8.20.0tweetnacl^1.0.3zod^3.24.1