The package is not a malware because the YARA rule python_exec_complex is matching javascript files. This rule is designed to detect python code execution and should not trigger on javascript files. Also, the confidence level is low.