On linux realistically whatever user you installed the malicious NPM package with has access to everything you care about anyway.

Every user, since privesc is so easy on most operating systems.

	▲	Gigachad an hour ago \| parent [-]
		Sure, without exploits they can steal your api keys, read your personal data, and access your browser data. With exploits they can update packages on your computer too.