Package not malware. http_url_with_msi matched yarnpkg.com/latest.msi, a legitimate Yarn installer URL. Project has high stars/forks.
No verification record available.
The package @yarnpkg/lockfile version 1.1.0 is likely not malware. While the YARA rule http_url_with_msi detected a hardcoded URL https://yarnpkg.com/latest.msi in index.js, this is a legitimate URL pointing to the official Yarn package manager installer. The project yarnpkg/yarn has a substantial number of stars and forks, indicating a well-established and trusted project. The fact that the package has few published versions is a weak signal. Therefore, the presence of the Yarn installer URL is not indicative of malicious behavior in this context.