Note: This report is updated by a verification record
Multiple YARA matches for shell persistence, suspicious preinstall script execution, and a hardcoded API key strongly suggest malicious intent.
Confirmed malicious package as part of coordinated supply chain attack targeting npm ecosystem
Note: This report is updated by a verification record
The package exhibits multiple suspicious behaviors that, when combined, strongly suggest malicious intent.
bash_persist_persistent YARA rule matches in bun_environment.js and setup_bun.js: This indicates the package attempts to modify shell startup files, potentially for persistence. This is a common malware technique.npm_preinstall_command YARA rule match in package.json: The preinstall script executes arbitrary code (node setup_bun.js) before installation. This is a high-risk behavior often used by malicious packages to inject malware.preinstall script: LLM confirms the preinstall script executes arbitrary code (node setup_bun.js) which is a red flag.wallet-evm.esm.js is a security vulnerability that could be exploited if the API key is compromised. While not directly indicative of malware, it demonstrates poor security practices and increases the risk profile of the package.These multiple indicators, particularly the shell persistence attempts and the preinstall script, warrant classifying this package as malware.