installed a package with npm today.. it went like this
first npm warned about 2 known security holes in libraries, but installed them anyway. One was a 2017 code execution vulnerability in some kind of eval library, fixed in a newer version but the dependency had not been updated. Yikes.
Then npm crashed. I restarted it.
Then a package used a postinstall script to display an advertisement.
Then a package used a postinstall script to download a binary blob.