The package's CLI bundle (dist/bin.js) and an associated chunk (dist/chunk-SZ4KCTSL.js) contain hardcoded fetch() POST calls to https://api.telegram.org, the canonical Telegram Bot API endpoint used as a hardcoded C2/exfiltration channel. A Telegram bot endpoint embedded in a CLI tool's compiled bundle, invoked via fetch with POST, is the standard fingerprint of an exfiltration beacon: api.telegram.org acts as a free, TLS-protected, attacker-controlled relay where a hardcoded bot token receives whatever the package decides to send (env vars, file contents, command output, host identifiers). When the CLI is run, anything routed through these calls leaves the installer's machine to a Telegram chat the package author controls. The destination is not user-configurable in the typical Telegram-bot integration shape — the bot token and chat id are baked into the bundle.