/vendor/psy/psysh/src/Psy/Shell.php

Not malware (unless your connection was compromised). You can verify this yourself by reading the source code.

/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php

That other file has absolutely nothing to do with Psy/Shell.php. In fact, you probably shouldn't even have that file on your production server. Install your dependencies using --no-dev.

I also received a similar email from GoDaddy flagging the following files as malware.

public_html/app/vendor/psy/psysh/src/Psy/ExecutionLoop/ForkingLoop.php

public_html/app/vendor/psy/psysh/src/Psy/ExecutionLoop/Loop.php

It is the same package of Psy. Does anyone know how to resolve this?

I believe its sucuri (the protection go daddy uses) I just got this email:

Warning: File possibly compromised: ./application/vendor/psy/psysh/src/Psy/ExecutionLoop/ForkingLoop.php (php.backdoor.psyshell.001). Manual review recommended. Warning: File possibly compromised: ./application/vendor/psy/psysh/src/Psy/ExecutionLoop/Loop.php (php.backdoor.psyshell.001). Manual review recommended.