Not really much they can do other than take it down and maybe 'protect' some popular packages from typo squatting by reserving some common misspellings. They're a public repository where users upload arbitrary code. The trust relationship really isn't there.

You trust NPM to be secure and serve exactly the code that the author published unmodified.

You trust the author to not act maliciously. Nothing you can really do if a user voluntaitally installs leet-virus.