The package @img/sharp-libvips-linux-x64 version 1.2.3 contains a shared object file (libvips-cpp.so.8.17.2). While the extension .2 is unusual and triggers an "Extension Mismatch" warning, the file is still identified as an ELF executable. The libvips library is known to utilize shared object files for its functionality, making the embedded executable a legitimate part of the package. The absence of SLSA provenances and project information doesn't automatically indicate malicious intent, especially considering the nature of the package and the presence of a valid shared object file.