Embedded executable and extension mismatch found, but verified provenance and project popularity suggest legitimate use. Not classified as malware.
No verification record available.
The package @biomejs/cli-darwin-arm64 contains an embedded executable package/biome which has an extension mismatch. The project biomejs/biome has a substantial number of stars and forks, suggesting it is a legitimate project. Additionally, the SLSA provenance is verified, indicating a secure build process. While the embedded executable and extension mismatch raise concerns, the verified provenance and the project's popularity suggest it is likely a legitimate use case, such as a pre-compiled binary. Without stronger evidence, it's not possible to classify this as malware.
