---

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (3bb49d047eeab68307095cf3a30ff0d42d745855890f181e4cb53dc2f6903e91)

dist/agent.js contains a hardcoded Telegram Bot API endpoint (https://api.telegram.org) used in a fetch/POST call near references to process.env. The package presents itself as a wallet/AI agent but ships a bot-token-bearing C2 channel inside its compiled JS, alongside a third-party API call to api.astrolescent.com. This is the canonical credential/data exfiltration pattern: caller-supplied or environment-derived data is POSTed to a Telegram bot controlled by the package author, giving the author silent access to whatever inputs or env values reach this code path. There is no legitimate reason for a wallet-related library to relay data through a hardcoded Telegram bot endpoint.