The package is not a malware because the YARA rule python_exec_complex matched a non-python source file (*.js and *.map files). According to the instructions, this is a false positive. There are no other strong evidences to classify this package as malware.