Confirmed malicious package as part of coordinated supply chain attack targeting npm ecosystem

Note: This report is updated by a verification record

The package exhibits multiple suspicious behaviors that, when considered together, strongly suggest malicious intent. The package.json includes a preinstall script that executes setup_bun.js, which is flagged as suspicious. Both setup_bun.js and bun_environment.js access multiple bash startup files, indicating potential persistence attempts. Furthermore, the package contains an embedded executable named postman in the bin directory, which has a mismatched file extension. This combination of suspicious preinstall script execution, bash persistence attempts, and an embedded executable with a mismatched extension is highly indicative of malicious activity.