we tend to find to types of compromised packages: 1. the type you describe; literally published with stolen creds while the owner sleeps, and found the next day. 2. packages will malware found months or years after the fact, while everyone happily goes about their day. Cool-downs of only a few days basically solve the first, while neither of these solves the second.