The changes a package install makes ought to be limited to the source files within its subdirectory (and perhaps some precompiled binaries). I don't quite expect it to be installing rootkits, and the principle of least privilege dictates that it should not be allowed to.

Once the package is installed, it is already too late for a code review, or any mitigation. A well-written worm will never be detected.

It is unexpectedly bad design (or, in case of the JavaScript community, an expectedly bad design).