Confirmed malicious package as part of coordinated supply chain attack targeting npm ecosystem

Note: This report is updated by a verification record

The package contains multiple indicators of suspicious behavior. Both setup_bun.js and bun_environment.js access multiple bash startup files, as detected by the bash_persist_persistent YARA rule. Additionally, the package.json file contains a preinstall script that executes node setup_bun.js, enabling arbitrary code execution during installation. This is further flagged as suspicious by an LLM-based file evaluation service. The combination of these factors strongly suggests malicious intent.