The YARA rule post_to_hardcoded_http matched the README.md file. While this is suspicious, it is not sufficient to classify the package as malware. The matched string axios.post('https://something.com/ in the README file could be part of an example or documentation. Without further evidence of malicious intent or behavior, it's not possible to confirm that the package is malicious. A single YARA rule match is not enough to classify a package as malware.