Confirmed malicious package as part of coordinated supply chain attack targeting npm ecosystem

Note: This report is updated by a verification record

The package exhibits multiple suspicious behaviors. The package.json file contains a preinstall script that executes node setup_bun.js, which is flagged as suspicious. Both setup_bun.js and bun_environment.js match the bash_persist_persistent YARA rule, indicating potential attempts to modify bash startup files for persistence. The npm_preinstall_command YARA rule match in package.json further reinforces the suspicion of malicious intent by running external commands during installation. These multiple indicators strongly suggest malicious behavior.