Confirmed malicious package as part of coordinated supply chain attack targeting npm ecosystem

Note: This report is updated by a verification record

The package exhibits multiple suspicious behaviors. The package.json includes a preinstall script executing node setup_bun.js, enabling arbitrary code execution before installation. This is further supported by YARA rule matches for npm_preinstall_command in package.json. Additionally, the YARA rule bash_persist_persistent matched in both setup_bun.js and bun_environment.js, indicating potential attempts to modify bash startup files for persistence. These multiple pieces of evidence strongly suggest malicious intent.