> the attacker might change the contents of the package instead of adding `postinstall` or `preinstall` hooks.
Ultimately, any code inside an npm package needs to be run by default in the context of a sandbox, such as vm2 or SES. That way a developer would have to opt in to granting permissions for a package to run executable code.