The package @esbuild/netbsd-x64 contains an embedded executable package/bin/esbuild. While this raises a flag, it's not sufficient to classify the package as malware. The esbuild project itself is a legitimate and well-known project with a large number of stars and forks on GitHub. Embedded executables can be a legitimate part of software distribution, particularly for pre-compiled binaries. Without further evidence of malicious behavior, it's safer to assume this is a legitimate use case.