[ghughes]

Probably? The author limited their audit to the top 1,000 packages + dependencies. I would not be surprised if both of the following things are true: 1) a lot of damage can still be done outside of that scope; 2) there are domains that NPM/GitHub have not attempted to send mails to since expiration, and those accounts have therefore not yet been flagged for manual intervention by the support team.

[elwebmaster]

That is very possible. The only emails I ever get from npm are when I initiate an action. If the way to identify expired domain is by random emails being sent to them we can be sure most vulnerable accounts are not flagged.