[always_good]

The NPM organization could go much further to make these attacks harder.

You pitch a really good one: Any time you npm update/install, display ownership changes (especially compared to your prev version).

Another one is to show the source code on the NPM website itself instead of hiding it in a tarball. NPM basically trains people to assume the published code == the code at the linked repository. It's a hacky honor system that only helps attackers.

[WorldMaker]

Another easy suggestion is that NPM could have forced a semver major change on the new maintainer. It would have been an easy signal for people to check what changed, and fewer developers would have accidentally installed the infected version because it was only a "minor" change.