Confirmed malicious package as part of coordinated supply chain attack targeting npm ecosystem

Note: This report is updated by a verification record

The package exhibits multiple suspicious behaviors indicative of malicious intent. The package.json contains a preinstall script that executes node setup_bun.js. This is flagged as suspicious because preinstall scripts are often used to execute arbitrary code before the user is even aware the package is installed. Furthermore, both setup_bun.js and bun_environment.js match the YARA rule bash_persist_persistent, suggesting they attempt to modify bash startup files for persistence. This combination of suspicious preinstall script execution and attempts to modify shell configuration files strongly suggests malicious behavior.