Note: This report is updated by a verification record
Multiple suspicious behaviors including preinstall script, bash persistence attempts, and silent error handling suggest this package is likely malicious.
Confirmed malicious package as part of coordinated supply chain attack targeting npm ecosystem
Note: This report is updated by a verification record
The package exhibits multiple suspicious behaviors that, when combined, suggest malicious intent. Specifically:
package.json includes a preinstall script (node setup_bun.js) which is a common technique for malware to execute code before installation.bun_environment.js and setup_bun.js trigger the bash_persist_persistent YARA rule, indicating attempts to modify bash startup files for persistence. While a single YARA match isn't conclusive, the presence of this rule across multiple files increases suspicion.setup_bun.js script contains multiple instances where errors during process execution, download, or setup lead to silent process termination (process.exit(0)). This is highly unusual error handling and suggests an attempt to hide failures from the user, a common tactic used by malware.The combination of these factors – suspicious preinstall script, attempts to modify bash startup files, and silent error handling – provides strong evidence that the package is likely malicious.