> This detection was assigned to an embedded Windows executable file...

I think this should be enough to declare it "malware", no? Why would one put a Windows (or any other) executable into repository for Javascript packages except to be malicious?