Confirmed malicious package as part of coordinated supply chain attack targeting npm ecosystem

Note: This report is updated by a verification record

The package exhibits multiple suspicious behaviors indicating it is likely malware. The package.json includes a preinstall script that executes node setup_bun.js, allowing arbitrary code execution during installation. Both bun_environment.js and setup_bun.js access multiple bash startup files, suggesting persistence attempts. Additionally, the project has only a few published versions, which could be a sign of malicious intent or lack of maintenance. The combination of preinstall script execution and persistence attempts is strong evidence of malicious behavior.