Seems like with deno, setting granular permissions for only what’s necessary, you might be able to block an attack like this. I’m just getting started with deno, though, so I’m not sure, but it looks doable to me.
Node.js now has a stable permissions model, though it's very limited compared to Deno's (I don't see anything about blocking network requests). Node also says "This feature does not protect against malicious code"
https://nodejs.org/docs/latest-v22.x/api/permissions.html