package.json
"scripts": {
"postinstall: "virtus.js"
}
This is a potential backdoor. I bet that sooner or later someone is going to take adventage of it. In order to block npm packages from doing it you can run this command on your machine.
npm config set ignore-scripts true