Maybe give publishers a way to quarantine versions with a warning that stops the install, but allows users can override if they choose to is the next step?

Give a publisher a way to tag a version as malicious and then in those hours between the exploit being noticed and the package being removed anyone who tries to install gets a message about that version being quarantined and asking whether they want to proceed.

It's not a perfect solution, but I think it's better than just waiting for NPM to take action without opening the door up to another left pad situation.