The package is not a malware because there is only one YARA rule match. The YARA rule python_exec_complex is matching a *.js file, which is a known false positive. There are no other strong evidences to classify this package as malware.