The package contains an embedded executable (package/lib/libvips-cpp.so.8.17.3). While this raises a security concern, it's also a valid use case for pre-compiled binaries. The file extension mismatch is a low confidence indicator. Without stronger evidence, it's not possible to classify the package as malware. The project has stars and forks indicating some level of legitimacy.