Confirmed malicious package as part of coordinated supply chain attack targeting npm ecosystem

Note: This report is updated by a verification record

The package exhibits multiple suspicious behaviors. Both bun_environment.js and setup_bun.js trigger the bash_persist_persistent YARA rule, indicating access to multiple bash startup files. Furthermore, the package.json includes a preinstall script that executes node setup_bun.js, allowing arbitrary code execution during installation. This is a strong indicator of malicious intent, especially when combined with the bash persistence behavior. The LLM based file evaluation service also flags the preinstall script as suspicious.