The package @esbuild/linux-arm contains an embedded executable package/bin/esbuild. While this raises a security concern, it's a single piece of evidence. Given the package name and the project esbuild having a large number of stars and forks, it is likely a legitimate use case for a pre-compiled binary. Without further evidence, I cannot classify this as malware.