The package google.golang.org/protobuf version v1.36.10 is not classified as malware. The only evidence is a YARA rule match js_hex_obfuscation in the file pack_test.go. This rule indicates javascript function obfuscation using hexadecimal encoding. However, the matched file is a Go file, and the confidence level is low. Without stronger evidence, it's not possible to classify this package as malware.