Googling it brought up this package from npm, which actually claims it was taken down for containing malicious code, but I couldn't find anything in the actual advisories, and I'm not convinced this is the package contained in kibana.
Before I ask IT to whitelist this, does anyone have any insight into why this might be happening and if there's an actual security risk? This happens on fresh installs on windows or linux and without any plugins installed.
The file kbn-ui-shared-deps-npm.dll.js is not an npm package and is a bundle we build as part of the Kibana build with a couple of stateful node_modules we use on Kibana. This file is served through a package called @kbn/ui-shared-deps-npm which is in the node_modules folder but its not distributed over the npm. We built it locally and ship it as part of the Kibana distributable.