Confirmed malicious package as part of coordinated supply chain attack targeting npm ecosystem

Note: This report is updated by a verification record

The package exhibits multiple suspicious behaviors. The bash_persist_persistent YARA rule matched in setup_bun.js and bun_environment.js indicates potential attempts to modify shell startup files for persistence. Additionally, the npm_preinstall_command YARA rule matched in package.json, coupled with the LLM's assessment of a suspicious preinstall script executing node setup_bun.js, raises concerns about malicious code execution during installation. The preinstall script running setup_bun.js is a strong indicator, especially when combined with the shell persistence attempts.