As I understand it. Every library in npm registry (they library you can install using npm) are also automatically approved ( which sounds reasonable you don't want to approve every library by hand).

And that's what the author exploits by registering a library that have a symlink in it. Which then got excuted.