The maintainers did notice in both of the recent attacks, but it takes time to regain access to your compromised account to take the package down, contact npm, etc.

All recent attacks have also been noticed within hours of release by security companies that automatically scan all newly released packages published to npm.

So as far as I know all recent attacks would have been avoided by adding a short delay.