While issue is already fixed, it would be interesting to know what precautions should users of npm packages take to prevent running malware on their PC during npm package installation?

Only install npm dependencies in a Docker container, e.g. dev containers offers an easy way to do that (the speed on macOS isn't great but hey)

Aikido scans all published npm packages in realtime: https://intel.aikido.dev/?tab=malware