PkgRadar

Package evidence

[email protected]

Remote Payload: matched "api.telegram.org/bot"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
6
First published
May 2026
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes16,281,416
Previous version0.4.1
Published2026-06-04T16:08:43.395Z
SHA-256bcc5ae52d02ef8fa5aa54cef0c26de5a237501913c0009f55272fd900aab0d03

Why flagged

What the scanner saw

Remote Payload: matched "api.telegram.org/bot"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
5Score
0.4.2Version
Status history (1 event)
  1. newavailable · risk review · score 5 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
mediumRemote Payloadpackage/node-backend/lib/channels.mjsmatched "api.telegram.org/bot"12
Show all 2 findings (low-signal and informational)
SeverityKindPathDetailPoints
mediumRemote Payloadpackage/node-backend/lib/channels.mjsmatched "api.telegram.org/bot"12
lowMessenger Bot Endpointpackage/node-backend/lib/channels.mjsmatched "api.telegram.org/bot" — messenger-bot URL without exfil context (likely a notification handler)5

Manifest

Package metadata

Scripts26
  • buildtsc && vite build
  • demo:remotionremotion studio src/remotion/index.ts
  • demo:render:competitiveremotion render src/remotion/index.ts CompetitiveAnalysisArtifact renders/competitive-analysis-artifact.mp4
  • demo:render:connectremotion render src/remotion/index.ts ConnectProductToGitHub renders/connect-product-github.mp4
  • demo:render:marketing-suiteremotion render src/remotion/index.ts ProductOSMarketingSuite renders/productos-marketing-suite.mp4
  • demo:render:workflowremotion render src/remotion/index.ts WorkflowFromCompetitiveIntel renders/workflow-competitive-intel.mp4
  • devnpm run dev:node
  • dev:nodeconcurrently -k -p "[{name}]" -n "vite,node-server" -c "cyan.bold,green.bold" "vite" "npm run dev:server:node"
  • dev:node-prototypenode scripts/run-node-prototype-dev.mjs
  • dev:server:cinode scripts/run-dev-server-ci.mjs
  • dev:server:nodePRODUCTOS_NODE_SERVER_PORT=51423 node node-backend/server.mjs
  • generate-creditsnode scripts/generate-credits.cjs
  • prepublishOnlynpm run build
  • startnpm run build && npm run dev:server:node
  • stopnode scripts/stop-dev.js
  • test:backendnode --test node-backend/tests/*.test.mjs node-backend/tests/services/*.test.mjs tests/*.test.mjs
  • test:channelsnode --test tests/channel-settings.test.mjs
  • test:e2eplaywright test
  • test:e2e:cinode scripts/run-e2e-ci.mjs
  • test:e2e:headedplaywright test --headed
  • test:e2e:uiplaywright test --ui
  • test:guardrailsnode --test tests/artifact-quality.test.mjs
  • test:integration:token-savernode --test tests/token-saver.integration.test.mjs
  • test:mvp:personal-pmnode --test tests/artifact-quality.test.mjs tests/starter-pack.test.mjs tests/token-saver.integration.test.mjs
  • test:starter-packnode --test tests/starter-pack.test.mjs
  • test:unit:optimizernode --test tests/workflow-optimizer.unit.test.mjs
Dependencies37
  • @radix-ui/react-context-menu2.2.16
  • @radix-ui/react-dialog1.1.15
  • @radix-ui/react-icons1.3.2
  • @radix-ui/react-menubar1.1.16
  • @radix-ui/react-select2.2.6
  • @radix-ui/react-toast1.2.15
  • @tiptap/extension-bubble-menu3.22.4
  • @tiptap/extension-floating-menu3.22.4
  • @tiptap/extension-link3.22.4
  • @tiptap/extension-placeholder3.22.4
  • @tiptap/extension-table3.22.4
  • @tiptap/extension-table-cell3.22.4
  • @tiptap/extension-table-header3.22.4
  • @tiptap/extension-table-row3.22.4
  • @tiptap/markdown3.22.4
  • @tiptap/pm3.22.4
  • @tiptap/react3.22.4
  • @tiptap/starter-kit3.22.4
  • @tiptap/suggestion3.22.4
  • @types/tippy.js6.3.0
  • @xyflow/react12.10.0
  • chokidar^5.0.0
  • class-variance-authority0.7.1
  • clsx2.1.1
  • date-fns4.1.0
  • framer-motion12.29.0
  • lucide-react0.263.1
  • papaparse5.5.3
  • pdf-parse^2.4.5
  • pptxgenjs4.0.1
  • …and 7 more.