Considering node.js is able to spawn subshells and execute whatever code it wants when running, install scripts pose no additional threat to just running the javascript.
The changes a package install makes ought to be limited to the source files within its subdirectory (and perhaps some precompiled binaries). I don't quite expect it to be installing rootkits, and the principle of least privilege dictates that it should not be allowed to.
Once the package is installed, it is already too late for a code review, or any mitigation. A well-written worm will never be detected.
It is unexpectedly bad design (or, in case of the JavaScript community, an expectedly bad design).
> The post install script can be like any other script the user can run. There's no sandboxing so it can access anything the running user can access.
Wow. This just seems wrong that the script has such far reaching privileges.