Confirmed malicious package as part of coordinated supply chain attack targeting npm ecosystem

Note: This report is updated by a verification record

The package exhibits multiple suspicious behaviors. Firstly, the package.json file contains a preinstall script executing node setup_bun.js, which is a potential vector for malicious code injection. Secondly, the YARA rule npm_preinstall_command is triggered in the package.json, indicating an external command is run during preinstall. Finally, both setup_bun.js and bun_environment.js access multiple bash startup files, which can be used for persistence. These multiple points of evidence suggest malicious intent.