Think about how plugins and themes operate on your website from a backend functionality perspective. NPM packages function in much the same way. All content management systems (CMS) - including popular ones such as
WordPress, Joomla, Drupal, and Opencart - use NPM packages to extend frontend functionality.
This doesn't make NPM packages inherently dangerous - but when they're compromised, it's a much different story.