The package @esbuild/android-arm64 contains an embedded executable package/bin/esbuild. While this raises a medium confidence security concern, embedding executables can be a legitimate practice for pre-compiled binaries. Without stronger evidence, it's not possible to classify this as malware.