It's extremely rare that I install a dependency without executing code from it shortly after. I think postinstall scripts are unfortunate and an anti-pattern, but I don't realistically think that their removal would do very much to avoid these kinds of attacks.