> There's a huge difference, because postinstall scripts are almost guaranteed to run in your CI pipeline. Compromised code probably won't (maybe it will if your test cases test a compromised package)

You don't need to test a compromised package to have it execute code. Importing it anywhere in your tests is enough, even transitively.

It's for sure less likely to run but I doubt it's significantly different in practice.