The package is not a malware because the YARA rule python_exec_complex matched a non-python source file (color-depth.mjs and color-depth.ts). Also, the YARA rule download_sites matched the files discord.mjs and discord.ts, which is related to discordapp.com. This is likely a legitimate use of the Discord API to fetch user avatars, and not indicative of malicious behavior.