There is no open-source requirement, like there would be on Gentoo packages for instance. NPM packages frequently pull arbitrary binaries in their install scripts.
1. There are thousands of dependencies in a usual lockfile.
2. A package author can push something other than the repository contents to npm/ change contents before pushing to npm, making the whole open source thing useless.
3. As someone else pointed out, you can download+exec when an npm package is installed.