These malicious packages are being caught by the authors, and by automated package security scanners, not just by end users. npm should start setting this 7 day cooldown as default.

Even 12 hours would probably be enough. Those automatic malware scanning companies are getting really fast.