Confirmed malicious package as part of coordinated supply chain attack targeting npm ecosystem

Note: This report is updated by a verification record

The YARA rule bash_persist_persistent matched in two files (setup_bun.js and bun_environment.js). While the rule indicates accessing multiple bash startup files, which can be a sign of persistence mechanisms, the confidence is low. Matching this rule alone is not sufficient to classify the package as malware. Without stronger evidence or further analysis, it is safer to assume it is not malicious.