Could they detect code running from a new IP address or location and ask for a 2FA code?

postinstall is running on the developer's machine, from an endpoint security perspective, it's the actual developer performing the malicious actions, their machine, their IP address and their location.