You can disable Windows Script Host or modify the registry to require a .js attachment be double clicked before it can run.
That should prevent malware from being silently installed without user permission.
Article here on bleeping computer
easy to do
I created a “test.js” in a text editor to verify the fix worked and windows said it blocked it from running
bkmk