In cases like this that isn’t an issue, NPM takes the malicious package down and you roll back to the previous version.

The problem would be new versions that fix security issues though, and because this is all open source as soon as you publish the fix everyone knows the vulnerability. You wouldn’t want everyone to stay on the insecure version with a basically public vulnerability for a week.