This is not true. Attackers are usually not publishing packages under their own accounts. They are publishing packages using hacked accounts of major packages that have many dependants.

The real owner will (hopefully) notice when a malicious version is published.

If you use a cooldown then it gives the real owner of the account enough time to report the hack and get the malicious version taken down.

we tend to find to types of compromised packages: 1. the type you describe; literally published with stolen creds while the owner sleeps, and found the next day. 2. packages will malware found months or years after the fact, while everyone happily goes about their day. Cool-downs of only a few days basically solve the first, while neither of these solves the second.