This is not true. Attackers are usually not publishing packages under their own accounts. They are publishing packages using hacked accounts of major packages that have many dependants.

The real owner will (hopefully) notice when a malicious version is published.

If you use a cooldown then it gives the real owner of the account enough time to report the hack and get the malicious version taken down.