This analysis was performed using vet and SafeDep Cloud Malicious Package Analysis. Integrate with GitHub using vet-action GitHub Action.
The package contains a shared object file, which is expected for native bindings. Verified provenance and project popularity suggest it's not malware.
The package @img/sharp-libvips-linux-ppc64 version 1.2.3 contains a shared object file libvips-cpp.so.8.17.2. The file is an ELF executable, which is expected for a library that provides native bindings. The extension mismatch .2 is unusual but not inherently malicious. Given the project's relatively high number of stars and forks, and the verified provenance, it is likely a legitimate package providing pre-compiled binaries. The embedded executable is part of the library's functionality and doesn't indicate malicious intent.