This is exactly what has made me extremely nervous about NPM. There is no security oversight at all and modules running on my dev machine with my full credentials could be uploading anything - Looks like I'll have to move node.js development to a sterile VM.