As long as the API isn't running on node, right? :)

I'd suspect the web interface has UI that's wrapped around the semi-public API. It's that web interface I'm worried about.

But the twitter web interface has access to post (since you can post via it), so it would be possible.

The Twitter web interface doesnt - it's just a javascript app that runs in your browser. To post a tweet, it uses the same public API that all third parties use.

To posit that it was an npm vunrebility in the frontend caused this hack implies that anyone can just curl their way into someone elses account.

Compromising the web interface would mean you can steal session tokens.