Yes (assuming they're doing frontend dev and including the resources from the page). The code is fetched and executed from the browser, so It'll have to escape the browser sandbox to do something nefarious.

Yes, none of npm's lifecycle hooks. You're just pulling bytes over the wire.