Confirmed malicious package as part of coordinated supply chain attack targeting npm ecosystem

Note: This report is updated by a verification record

The package is not a malware because the YARA rule bash_persist_persistent has low confidence, and it is the only evidence available. Matching this rule alone is not sufficient to classify the package as malware. It could be a false positive. The matched files, bun_environment.js and setup_bun.js, suggest the package might be related to the Bun runtime environment. Modifying shell startup files isn't inherently malicious and could be part of legitimate setup or configuration processes.