Confirmed malicious package as part of coordinated supply chain attack targeting npm ecosystem

Note: This report is updated by a verification record

The package exhibits multiple suspicious behaviors. Firstly, the package.json includes a preinstall script that executes node setup_bun.js, enabling arbitrary code execution before installation. This is flagged as suspicious by the LLM. Secondly, both bun_environment.js and setup_bun.js access multiple bash startup files, indicating potential persistence attempts. Finally, victoria-wallet-type.cjs.production.min.js contains XOR-obfuscated terms, suggesting an attempt to hide malicious intent. The combination of preinstall script execution, bash startup file access, and code obfuscation strongly suggests malicious activity.