The package is marked as malware by OSV: MAL-2025-191146 with source: ghsa-malware

Note: This report is updated by a verification record

The package exhibits multiple suspicious behaviors. The package.json includes a preinstall script executing node setup_bun.js, which is a known technique for malware to gain access before installation. Both bun_environment.js and setup_bun.js match the bash_persist_persistent YARA rule, indicating potential attempts to modify shell startup files for persistence. The combination of preinstall script execution and shell persistence attempts strongly suggests malicious intent.