Imagine that guy has this big npm repository locally with all those dodgy libraries with uncontrolled origin, in their /lib/node_modules with root permissions.

Wait, we all do, here.

You can use a custom npm prefix to avoid the mess you're describing. So basically:

See current prefix:

> npm config get prefix

Set prefix to something you can write to without sudo:

> npm config set prefix /some/custom/path