Confirmed malicious package as part of coordinated supply chain attack targeting npm ecosystem

Note: This report is updated by a verification record

The package exhibits multiple suspicious behaviors that, when combined, strongly suggest malicious intent. Specifically, setup_bun.js downloads and executes a script from an external source without user consent or validation, potentially allowing arbitrary code execution. It also executes bun_environment.js without checks, creating another potential injection point. Furthermore, the error handling in setup_bun.js leads to silent failures, masking potential malicious activity. The YARA rule matches in bun_environment.js and setup_bun.js for bash persistence further contribute to the suspicion. The npm_preinstall_command in package.json adds another layer of concern.