---

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (0a6204f29c39ab7a22921331bf33f2501b27fba9aac6a8b87b833caef9c5f506)

dist/index.js contains a hardcoded Telegram Bot API endpoint (https://api.telegram.org) referenced from a fetch/POST call alongside process.env access. The pattern — fetch() + POST + api.telegram.org + process.env — is the canonical Telegram-bot exfiltration channel used to ship installer-side environment variables (and other host data) to an attacker-controlled bot/chat. Telegram's Bot API serves as a hardcoded C2: the attacker only needs the bot token embedded in the bundle to receive every installer's data. There is no legitimate reason for an OS-themed package's bundle to POST to the Telegram Bot API while reading process.env.