[email protected] rejected Risk: 40 MIT 2026-05-01

common-tg-service @1.3.207

rejected

This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.

npm Tarball

Risk Score

MIT

License

Install Scripts

Dependencies

Dev Dependencies

647.4 KB

Package Size

2026-05-01

Published

Common Telegram service for NestJS applications

Maintainers

shetty123

Keywords

nestjstelegramcommonservice

Dependencies (21)

Package	Constraint	Registry Status
imap	^0.8.19	auto_approved
rxjs	^7.8.2	auto_approved
axios	^1.13.4	auto_approved
https	^1.0.0	auto_approved
sharp	^0.34.5	auto_approved
adm-zip	^0.5.16	auto_approved
ioredis	^5.9.2	auto_approved
mongoose	^9.1.6	auto_approved
telegram	^2.26.22	auto_approved
cloudinary	^2.9.0	auto_approved
node-cache	^5.1.2	auto_approved
@nestjs/core	^11.1.13	auto_approved
swagger-jsdoc	^6.2.8	auto_approved
@nestjs/common	^11.1.13	auto_approved
@nestjs/config	^4.0.3	auto_approved
@nestjs/swagger	^11.2.6	auto_approved
class-validator	^0.14.3	auto_approved
@nestjs/mongoose	^11.0.4	auto_approved
class-transformer	^0.5.1	auto_approved
swagger-ui-express	^5.0.1	auto_approved
@nestjs/platform-express	^11.1.13	auto_approved

Dev Dependencies (30)

Package	Constraint	Registry Status
jest	^30.2.0	auto_approved
eslint	^9.39.2	auto_approved
rimraf	^6.1.2	auto_approved
ts-jest	^29.4.6	auto_approved
ts-node	^10.9.2	auto_approved
webpack	^5.105.0	auto_approved
prettier	^3.8.1	auto_approved
cross-env	^10.1.0	auto_approved
supertest	^7.2.2	auto_approved
ts-loader	^9.5.4	auto_approved
typescript	^5.9.3	auto_approved
@nestjs/cli	^11.0.16	Not imported
@types/imap	^0.8.43	auto_approved
@types/jest	^30.0.0	auto_approved
@types/node	^25.2.1	auto_approved
webpack-cli	^6.0.1	pending
@types/sharp	^0.31.1	auto_approved
@types/multer	^2.0.0	auto_approved
@types/express	^5.0.6	auto_approved
tsconfig-paths	^4.2.0	auto_approved
@nestjs/testing	^11.1.13	auto_approved
@types/supertest	^6.0.3	pending
@nestjs/schematics	^11.0.9	Not imported
source-map-support	^0.5.21	auto_approved
mongodb-memory-server	^11.0.1	auto_approved
eslint-config-prettier	^10.1.8	auto_approved
eslint-plugin-prettier	^5.5.5	auto_approved
webpack-node-externals	^3.0.0	auto_approved
@typescript-eslint/parser	^8.54.0	auto_approved
@typescript-eslint/eslint-plugin	^8.54.0	auto_approved

Transitive Dependency Tree

217 transitive deps max depth 10

├─ @nestjs/common ^11.1.13 → 11.1.19

├─ @nestjs/config ^4.0.3 → 4.0.4

├─ @nestjs/core ^11.1.13 → 11.1.19

├─ @nestjs/mongoose ^11.0.4 → 11.0.4

├─ @nestjs/platform-express ^11.1.13 → 11.1.19

├─ @nestjs/swagger ^11.2.6 → 11.4.2

├─ adm-zip ^0.5.16 → 0.5.17

├─ axios ^1.13.4 → 1.16.0

├─ class-transformer ^0.5.1 → 0.5.1

├─ class-validator ^0.14.3 → 0.14.3

├─ cloudinary ^2.9.0 → 2.10.0

├─ https ^1.0.0 → 1.0.0

├─ imap ^0.8.19 → 0.8.19

├─ ioredis ^5.9.2 → 5.10.0

├─ mongoose ^9.1.6 → 9.6.1

├─ node-cache ^5.1.2 → 5.1.2

├─ rxjs ^7.8.2 → 7.8.2

├─ sharp ^0.34.5

├─ swagger-jsdoc ^6.2.8 → 6.2.8

├─ swagger-ui-express ^5.0.1 → 5.0.1

├─ telegram ^2.26.22 → 2.26.22

├─ @ioredis/commands 1.5.1 → 1.5.1

├─ @microsoft/tsdoc 0.16.0 → 0.16.0

├─ @nestjs/mapped-types 2.1.1 → 2.1.1

├─ @nuxt/opencollective 0.4.1

├─ @types/validator ^13.15.3 → 13.15.10

├─ async-mutex ^0.3.0 → 0.3.2

├─ big-integer ^1.6.48 → 1.6.52

├─ buffer ^6.0.3 → 6.0.3

├─ clone 2.x → 2.1.2

├─ cluster-key-slot ^1.1.0 → 1.1.2

├─ commander 6.2.0 → 6.2.0

├─ cors 2.8.6 → 2.8.6

├─ debug ^4.3.4 → 4.4.3

├─ denque ^2.1.0 → 2.1.0

├─ doctrine 3.0.0 → 3.0.0

├─ dotenv 17.4.1 → 17.4.1

├─ dotenv-expand 12.0.3 → 12.0.3

├─ express 5.2.1 → 5.2.1

├─ fast-safe-stringify 2.1.1 → 2.1.1

├─ file-type 21.3.4 → 21.3.4

├─ follow-redirects ^1.16.0 → 1.16.0

├─ form-data ^4.0.5 → 4.0.5

├─ glob 7.1.6

├─ htmlparser2 ^6.1.0 → 6.1.0

├─ iterare 1.2.1

├─ js-yaml 4.1.1 → 4.1.1

├─ kareem 3.3.0 → 3.3.0

├─ libphonenumber-js ^1.11.1 → 1.12.43

├─ load-esm 1.0.3 → 1.0.3

├─ lodash 4.18.1 → 4.18.1

├─ lodash ^4.17.23 → 4.18.1

├─ lodash.defaults ^4.2.0 → 4.2.0

├─ lodash.isarguments ^3.1.0 → 3.1.0

├─ lodash.mergewith ^4.6.2 → 4.6.2

├─ mime ^3.0.0 → 3.0.0

├─ mongodb ~7.2 → 7.2.0

├─ mpath 0.9.0 → 0.9.0

├─ mquery 6.0.0 → 6.0.0

├─ ms 2.1.3 → 2.1.3

├─ multer 2.1.1 → 2.1.1

├─ node-localstorage ^2.2.1 → 2.2.1

├─ pako ^2.0.3 → 2.1.0

├─ path-browserify ^1.0.1 → 1.0.1

├─ path-to-regexp 8.4.2 → 8.4.2

├─ proxy-from-env ^2.1.0 → 2.1.0

├─ readable-stream 1.1.x → 1.1.14

├─ redis-errors ^1.2.0 → 1.2.0

├─ redis-parser ^3.0.0 → 3.0.0

├─ sift 17.1.3 → 17.1.3

├─ socks ^2.6.2 → 2.8.7

├─ standard-as-callback ^2.1.0 → 2.1.0

├─ store2 ^2.13.0 → 2.14.4

├─ swagger-parser ^10.0.3 → 10.0.3

├─ swagger-ui-dist 5.32.4 → 5.32.4

├─ ts-custom-error ^3.2.0 → 3.3.1

├─ tslib 2.8.1 → 2.8.1

├─ tslib ^2.1.0 → 2.8.1

├─ uid 2.0.2 → 2.0.2

├─ validator ^13.15.20 → 13.15.35

├─ websocket ^1.0.34 → 1.0.35

├─ yaml 2.0.0-1

├─ @apidevtools/swagger-parser 10.0.3 → 10.0.3

├─ @lukeed/csprng ^1.0.0 → 1.1.0

├─ @mongodb-js/saslprep ^1.3.0 → 1.4.9

├─ @scarf/scarf =1.4.0 → 1.4.0

├─ @tokenizer/inflate ^0.4.1 → 0.4.1

├─ accepts ^2.0.0 → 2.0.0

├─ append-field ^1.0.0 → 1.0.0

├─ argparse ^2.0.1 → 2.0.1

├─ asynckit ^0.4.0

├─ base64-js ^1.3.1 → 1.5.1

├─ body-parser ^2.2.1 → 2.2.2

├─ bson ^7.2.0 → 7.2.0

├─ bufferutil ^4.0.1 → 4.1.0

├─ busboy ^1.6.0 → 1.6.0

├─ combined-stream ^1.0.8 → 1.0.8

├─ concat-stream ^2.0.0 → 2.0.0

├─ content-disposition ^1.0.0 → 1.1.0

├─ content-type ^1.0.5 → 1.0.5

├─ cookie ^0.7.1 → 0.7.2

├─ cookie-signature ^1.2.1 → 1.2.2

├─ core-util-is ~1.0.0 → 1.0.3

├─ debug ^2.2.0

├─ debug ^4.4.0 → 4.4.3

├─ depd ^2.0.0 → 2.0.0

├─ domelementtype ^2.0.1 → 2.3.0

├─ domhandler ^4.0.0 → 4.2.2

├─ domutils ^2.5.2 → 2.8.0

├─ dotenv ^16.4.5 → 16.6.1

├─ encodeurl ^2.0.0 → 2.0.0

├─ entities ^2.0.0 → 2.2.0

├─ es-set-tostringtag ^2.1.0 → 2.1.0

├─ es5-ext ^0.10.63 → 0.10.64

├─ escape-html ^1.0.3 → 1.0.3

├─ esutils ^2.0.2 → 2.0.3

├─ etag ^1.8.1 → 1.8.1

├─ finalhandler ^2.1.0 → 2.1.1

├─ fresh ^2.0.0

├─ hasown ^2.0.2 → 2.0.3

├─ http-errors ^2.0.0 → 2.0.1

├─ ieee754 ^1.2.1 → 1.2.1

├─ inherits ~2.0.1 → 2.0.4

├─ ip-address ^10.0.1 → 10.1.0

├─ isarray 0.0.1

├─ merge-descriptors ^2.0.0 → 2.0.0

├─ mime-types ^3.0.0 → 3.0.2

├─ mime-types ^2.1.12 → 2.1.35

├─ mongodb-connection-string-url ^7.0.0 → 7.0.1

├─ ms ^2.1.3 → 2.1.3

├─ object-assign ^4 → 4.1.1

├─ on-finished ^2.4.1 → 2.4.1

├─ once ^1.4.0 → 1.4.0

├─ parseurl ^1.3.3 → 1.3.3

├─ proxy-addr ^2.0.7 → 2.0.7

├─ qs ^6.14.0 → 6.15.1

├─ range-parser ^1.2.1 → 1.2.1

├─ redis-errors ^1.0.0 → 1.2.0

├─ router ^2.2.0 → 2.2.0

├─ send ^1.1.0 → 1.2.1

├─ serve-static ^2.2.0 → 2.2.1

├─ smart-buffer ^4.2.0

├─ statuses ^2.0.1 → 2.0.2

├─ string_decoder ~0.10.x → 0.10.31

├─ strtok3 ^10.3.4 → 10.3.4

├─ token-types ^6.1.1 → 6.1.2

├─ tslib ^2.3.1 → 2.8.1

├─ type-is ^1.6.18 → 1.6.18

├─ type-is ^2.0.1 → 2.0.1

├─ typedarray-to-buffer ^3.1.5

├─ uint8array-extras ^1.4.0 → 1.5.0

├─ utf-8-validate ^5.0.2

├─ vary ^1.1.2 → 1.1.2

├─ vary ^1 → 1.1.2

├─ write-file-atomic ^1.1.4 → 1.3.4

├─ yaeti ^0.0.6

├─ @apidevtools/json-schema-ref-parser ^9.0.6

├─ @apidevtools/openapi-schemas ^2.0.4 → 2.1.0

├─ @apidevtools/swagger-methods ^3.0.2 → 3.0.2

├─ @borewit/text-codec ^0.2.1 → 0.2.2

├─ @jsdevtools/ono ^7.1.3 → 7.1.3

├─ @tokenizer/token ^0.3.0 → 0.3.0

├─ @tokenizer/token ^0.3.0

├─ @types/whatwg-url ^13.0.0 → 13.0.0

├─ buffer-from ^1.0.0 → 1.1.2

├─ bytes ^3.1.2 → 3.1.2

├─ call-me-maybe ^1.0.1 → 1.0.2

├─ content-type ^1.0.5 → 1.0.5

├─ debug ^4.4.3 → 4.4.3

├─ debug ^4.4.0 → 4.4.3

├─ delayed-stream ~1.0.0 → 1.0.0

├─ depd ~2.0.0 → 2.0.0

├─ depd ^2.0.0 → 2.0.0

├─ dom-serializer ^1.0.1 → 1.3.2

├─ domelementtype ^2.2.0 → 2.3.0

├─ domhandler ^4.2.0 → 4.2.2

├─ ee-first 1.1.1 → 1.1.1

├─ encodeurl ^2.0.0 → 2.0.0

├─ es-errors ^1.3.0 → 1.3.0

├─ es6-iterator ^2.0.3 → 2.0.3

├─ es6-symbol ^3.1.3 → 3.1.4

├─ escape-html ^1.0.3 → 1.0.3

├─ esniff ^2.0.1 → 2.0.1

├─ etag ^1.8.1 → 1.8.1

├─ forwarded 0.2.0 → 0.2.0

├─ fresh ^2.0.0

├─ function-bind ^1.1.2 → 1.1.2

├─ get-intrinsic ^1.2.6 → 1.3.1

├─ graceful-fs ^4.1.11 → 4.2.11

├─ has-tostringtag ^1.0.2 → 1.0.2

├─ hasown ^2.0.2 → 2.0.3

├─ http-errors ^2.0.0 → 2.0.1

├─ http-errors ^2.0.1 → 2.0.1

├─ iconv-lite ^0.7.0 → 0.7.2

├─ ieee754 ^1.2.1 → 1.2.1

├─ imurmurhash ^0.1.4 → 0.1.4

├─ inherits ~2.0.4 → 2.0.4

├─ inherits ^2.0.3 → 2.0.4

├─ ipaddr.js 1.9.1 → 1.9.1

├─ is-promise ^4.0.0 → 4.0.0

├─ media-typer 0.3.0 → 0.3.0

├─ media-typer ^1.1.0 → 1.1.0

├─ mime-db ^1.54.0 → 1.54.0

├─ mime-db 1.52.0

├─ mime-types ^3.0.0 → 3.0.2

├─ mime-types ~2.1.24 → 2.1.35

├─ mime-types ^3.0.2 → 3.0.2

├─ ms ^2.1.3 → 2.1.3

├─ negotiator ^1.0.0 → 1.0.0

├─ next-tick ^1.1.0 → 1.1.0

├─ node-gyp-build ^4.3.0

├─ on-finished ^2.4.1 → 2.4.1

├─ parseurl ^1.3.3 → 1.3.3

├─ path-to-regexp ^8.0.0 → 8.4.2

├─ qs ^6.14.1 → 6.15.1

├─ range-parser ^1.2.1 → 1.2.1

├─ raw-body ^3.0.1 → 3.0.2

├─ readable-stream ^3.0.2 → 3.6.2

├─ send ^1.2.0 → 1.2.1

├─ setprototypeof ~1.2.0 → 1.2.0

├─ side-channel ^1.1.0 → 1.1.0

├─ slide ^1.1.5 → 1.1.6

├─ sparse-bitfield ^3.0.3 → 3.0.3

├─ statuses ^2.0.2 → 2.0.2

├─ statuses ^2.0.1 → 2.0.2

├─ statuses ~2.0.2 → 2.0.2

├─ streamsearch ^1.1.0 → 1.1.0

├─ toidentifier ~1.0.1 → 1.0.1

├─ token-types ^6.1.1 → 6.1.2

├─ type-is ^2.0.1 → 2.0.1

├─ typedarray ^0.0.6 → 0.0.6

├─ whatwg-url ^14.1.0 → 14.2.0

├─ wrappy 1 → 1.0.2

├─ z-schema ^5.0.1 → 5.0.6

├─ @borewit/text-codec ^0.2.1 → 0.2.2

├─ @tokenizer/token ^0.3.0

├─ @types/webidl-conversions *

├─ async-function ^1.0.0

├─ async-generator-function ^1.0.0 → 1.0.0

├─ bytes ~3.1.2 → 3.1.2

├─ call-bind-apply-helpers ^1.0.2 → 1.0.2

├─ commander ^10.0.0 → 10.0.1

├─ content-type ^1.0.5 → 1.0.5

├─ d ^1.0.2 → 1.0.2

├─ d ^1.0.1 → 1.0.2

├─ d 1 → 1.0.2

├─ debug ^4.4.3 → 4.4.3

├─ depd ~2.0.0 → 2.0.0

├─ domelementtype ^2.2.0 → 2.3.0

├─ domelementtype ^2.0.1 → 2.3.0

├─ domhandler ^4.2.0 → 4.2.2

├─ ee-first 1.1.1 → 1.1.1

├─ encodeurl ^2.0.0 → 2.0.0

├─ entities ^2.0.0 → 2.2.0

├─ es-define-property ^1.0.1 → 1.0.1

├─ es-errors ^1.3.0 → 1.3.0

├─ es-object-atoms ^1.1.1 → 1.1.1

├─ es6-symbol ^3.1.1 → 3.1.4

├─ escape-html ^1.0.3 → 1.0.3

├─ etag ^1.8.1 → 1.8.1

├─ event-emitter ^0.3.5 → 0.3.5

├─ ext ^1.7.0

├─ fresh ^2.0.0

├─ function-bind ^1.1.2 → 1.1.2

├─ generator-function ^2.0.0 → 2.0.1

├─ get-proto ^1.0.1

├─ gopd ^1.2.0

├─ has-symbols ^1.1.0 → 1.1.0

├─ has-symbols ^1.0.3 → 1.1.0

├─ hasown ^2.0.2 → 2.0.3

├─ http-errors ^2.0.1 → 2.0.1

├─ http-errors ~2.0.1 → 2.0.1

├─ iconv-lite ~0.7.0 → 0.7.2

├─ ieee754 ^1.2.1 → 1.2.1

├─ inherits ~2.0.4 → 2.0.4

├─ inherits ^2.0.3 → 2.0.4

├─ lodash.get ^4.4.2 → 4.4.2

├─ lodash.isequal ^4.5.0 → 4.5.0

├─ math-intrinsics ^1.1.0 → 1.1.0

├─ media-typer ^1.1.0 → 1.1.0

├─ memory-pager ^1.0.2

├─ mime-db 1.52.0

├─ mime-db ^1.54.0 → 1.54.0

├─ mime-types ^3.0.0 → 3.0.2

├─ mime-types ^3.0.2 → 3.0.2

├─ ms ^2.1.3 → 2.1.3

├─ object-inspect ^1.13.3 → 1.13.4

├─ on-finished ^2.4.1 → 2.4.1

├─ range-parser ^1.2.1 → 1.2.1

├─ safer-buffer >= 2.1.2 < 3.0.0 → 2.1.2

├─ setprototypeof ~1.2.0 → 1.2.0

├─ side-channel ^1.1.0 → 1.1.0

├─ side-channel-list ^1.0.0 → 1.0.1

├─ side-channel-map ^1.0.1 → 1.0.1

├─ side-channel-weakmap ^1.0.2 → 1.0.2

├─ statuses ~2.0.2 → 2.0.2

├─ statuses ^2.0.2 → 2.0.2

├─ string_decoder ^1.1.1 → 1.3.0

├─ toidentifier ~1.0.1 → 1.0.1

├─ tr46 ^5.1.0 → 5.1.1

├─ type ^2.7.2 → 2.7.3

├─ unpipe ~1.0.0 → 1.0.0

├─ util-deprecate ^1.0.1 → 1.0.2

├─ validator ^13.7.0 → 13.15.35

├─ webidl-conversions ^7.0.0 → 7.0.0

├─ call-bound ^1.0.2 → 1.0.4

├─ d 1 → 1.0.2

├─ d ^1.0.2 → 1.0.2

├─ depd ~2.0.0 → 2.0.0

├─ domelementtype ^2.2.0 → 2.3.0

├─ ee-first 1.1.1 → 1.1.1

├─ es-errors ^1.3.0 → 1.3.0

├─ ext ^1.7.0

├─ function-bind ^1.1.2 → 1.1.2

├─ get-intrinsic ^1.2.5 → 1.3.1

├─ inherits ~2.0.4 → 2.0.4

├─ mime-db ^1.54.0 → 1.54.0

├─ ms ^2.1.3 → 2.1.3

├─ object-inspect ^1.13.4 → 1.13.4

├─ object-inspect ^1.13.3 → 1.13.4

├─ punycode ^2.3.1 → 2.3.1

├─ safe-buffer ~5.2.0 → 5.2.1

├─ safer-buffer >= 2.1.2 < 3.0.0 → 2.1.2

├─ setprototypeof ~1.2.0 → 1.2.0

├─ side-channel-list ^1.0.0 → 1.0.1

├─ side-channel-map ^1.0.1 → 1.0.1

├─ side-channel-weakmap ^1.0.2 → 1.0.2

├─ statuses ~2.0.2 → 2.0.2

├─ toidentifier ~1.0.1 → 1.0.1

├─ type ^2.7.2 → 2.7.3

├─ async-function ^1.0.0

├─ async-generator-function ^1.0.0 → 1.0.0

├─ call-bind-apply-helpers ^1.0.2 → 1.0.2

├─ call-bound ^1.0.2 → 1.0.4

├─ es-define-property ^1.0.1 → 1.0.1

├─ es-errors ^1.3.0 → 1.3.0

├─ es-object-atoms ^1.1.1 → 1.1.1

├─ function-bind ^1.1.2 → 1.1.2

├─ generator-function ^2.0.0 → 2.0.1

├─ get-intrinsic ^1.3.0 → 1.3.1

├─ get-intrinsic ^1.2.5 → 1.3.1

├─ get-proto ^1.0.1

├─ gopd ^1.2.0

├─ has-symbols ^1.1.0 → 1.1.0

├─ hasown ^2.0.2 → 2.0.3

├─ math-intrinsics ^1.1.0 → 1.1.0

├─ object-inspect ^1.13.4 → 1.13.4

├─ object-inspect ^1.13.3 → 1.13.4

├─ side-channel-map ^1.0.1 → 1.0.1

├─ type ^2.7.2 → 2.7.3

├─ async-function ^1.0.0

├─ async-generator-function ^1.0.0 → 1.0.0

├─ call-bind-apply-helpers ^1.0.2 → 1.0.2

├─ call-bound ^1.0.2 → 1.0.4

├─ es-define-property ^1.0.1 → 1.0.1

├─ es-errors ^1.3.0 → 1.3.0

├─ es-object-atoms ^1.1.1 → 1.1.1

├─ function-bind ^1.1.2 → 1.1.2

├─ generator-function ^2.0.0 → 2.0.1

├─ get-intrinsic ^1.2.5 → 1.3.1

├─ get-intrinsic ^1.3.0 → 1.3.1

├─ get-proto ^1.0.1

├─ gopd ^1.2.0

├─ has-symbols ^1.1.0 → 1.1.0

├─ hasown ^2.0.2 → 2.0.3

├─ math-intrinsics ^1.1.0 → 1.1.0

├─ object-inspect ^1.13.3 → 1.13.4

├─ async-function ^1.0.0

├─ async-generator-function ^1.0.0 → 1.0.0

├─ call-bind-apply-helpers ^1.0.2 → 1.0.2

├─ es-define-property ^1.0.1 → 1.0.1

├─ es-errors ^1.3.0 → 1.3.0

├─ es-object-atoms ^1.1.1 → 1.1.1

├─ function-bind ^1.1.2 → 1.1.2

├─ generator-function ^2.0.0 → 2.0.1

├─ get-intrinsic ^1.3.0 → 1.3.1

├─ get-proto ^1.0.1

├─ gopd ^1.2.0

├─ has-symbols ^1.1.0 → 1.1.0

├─ hasown ^2.0.2 → 2.0.3

├─ math-intrinsics ^1.1.0 → 1.1.0

├─ async-function ^1.0.0

├─ async-generator-function ^1.0.0 → 1.0.0

├─ call-bind-apply-helpers ^1.0.2 → 1.0.2

├─ es-define-property ^1.0.1 → 1.0.1

├─ es-errors ^1.3.0 → 1.3.0

├─ es-object-atoms ^1.1.1 → 1.1.1

├─ function-bind ^1.1.2 → 1.1.2

├─ generator-function ^2.0.0 → 2.0.1

├─ get-proto ^1.0.1

├─ gopd ^1.2.0

├─ has-symbols ^1.1.0 → 1.1.0

├─ hasown ^2.0.2 → 2.0.3

├─ math-intrinsics ^1.1.0 → 1.1.0

Changes from v1.3.201

No metadata changes detected.

File Changes

6 added 0 removed 230 modified size delta: +29.9 KB

SAST Findings (2)

CRITICAL MAL-2026-3288: Malicious code in common-tg-service (npm) osv

Malicious npm package published by user `shetty123` as part of a Telegram account hijacking framework targeting Indian Telegram users. All 502 published versions (1.0.1 through 1.3.207) are malicious. Pairs with `ams-ssk`, which provides the operator's server-side AMS/CMS infrastructure. `common-tg-service` performs full Telegram account takeover at runtime when the service is initialized (no install-time hooks, which lets it bypass scanners that gate on preinstall/postinstall lifecycle scripts). Behavior includes: implanting a hardcoded 2FA password (`Ajtdmwajt1@`) and recovery email on hijacked accounts; polling an operator-controlled Gmail inbox over IMAP (`imap.gmail.com`) to auto-submit 2FA confirmation codes; revoking all device authorizations except the attacker's session; harvesting OTP codes by monitoring Telegram chat 777000 and forwarding them to the operator; running SRP ownership checks against managed accounts and flagging rotated 2FA as unrecoverable; and fetching remote JSON configuration from `npoint.io` so operators can change behavior without re-publishing. Blocked outbound requests are laundered through a relay at `helper-thge.onrender.com`. Stolen accounts and updates are exfiltrated to attacker-controlled Telegram channels (`-1001801844217` and `-1001972065816`). Operator infrastructure includes `paidgirl.site`, `cms.paidgirl.site`, `report-upi.netlify.app`, and `promoteClients2.glitch.me`.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 40. Findings: 1 critical (+40), 3 info (+0).

Commit: 723dc1a5513a

Published to npm: 2026-05-01