does npm install pull code from that github repo, though? If not, auditing that repo is a huge blunder.

I'm seeing this from npm, which is a bit different:

https://www.npmjs.com/package/playcaptcha

Not saying the package is malicious, (although it might be, but it's a more likely threat that the devs themselves become infected by a supply chain worm and spread it downstream.) just saying, if you are going to audit it, actually audit it as if you were up against an attacker.