Embedded executable found, but legitimate use is possible. High GitHub stars, forks and verified SLSA provenance suggest it's not malware.
No verification record available.
The package @esbuild/linux-arm contains an embedded executable package/bin/esbuild. While this raises a medium confidence security concern, it is not sufficient to classify the package as malware. There are legitimate uses for embedding executables, especially in packages that provide pre-compiled binaries. Without further evidence of malicious behavior, it is safer to assume this is a legitimate use case, especially considering the project's high star and fork count on GitHub and the presence of a verified SLSA provenance.
