False-positive malware advisories on angular package repo

I faced a problem when I tried to develop Angular application.
There is one repo “@bmw-ds/components” which suddenly is marked as critical vulnerabilities to fix with URL attached: Malware in @bmw-ds/components · GHSA-pmc5-chc8-4p3v · GitHub Advisory Database · GitHub

Why this error is published on github and how can I make sure it is not a false positive and if it is, how do I report it to remove the alert?