Confirmed malicious package as part of coordinated supply chain attack targeting npm ecosystem

Note: This report is updated by a verification record

The package exhibits multiple suspicious behaviors that, when combined, strongly suggest malicious intent. Specifically, the package.json file contains a preinstall script that executes setup_bun.js. Both bun_environment.js and setup_bun.js trigger the bash_persist_persistent YARA rule, indicating attempts to modify shell startup files for persistence. The npm_preinstall_command YARA rule is also triggered. The preinstall script execution is further flagged as suspicious by the LLM based file evaluation service. These multiple indicators provide a strong case for classifying this package as malware.