The package is not a malware because the evidences are weak. The YARA rule large_random_variables matched in AsYouTypeParser.js and es6/AsYouTypeParser.js files which indicates the presence of large random variable names but it is a low confidence and common in obfuscated code. Also, the YARA rule generic_launchctl_loader matched in README.md file which indicates loading a launchd service, but this is likely a false positive or part of documentation, not necessarily malicious activity. Therefore, there is no strong evidence to classify this package as malware.