There's a growing risk of maliciously crafted npm modules wreaking havoc on our Node.js applications.
I wrote a post over on my employers blog entitled The Dangers of Malicious Modules which explains a lot of these dangers. For example, did you know that a module which is loaded anywhere in your application's dependency chain can completely change the behavior of any internal Node.js API's?
In a related story, Protecting Node.js Applications from Zip Slip, I talk about a path traversal vulnerability when extracting archives containing directories with
.. as their names. This can be used to clobber existing files.
There are many attack vectors against Node.js applications and over time they will only become more and more of a lucrative target.