Not really much they can do other than take it down and maybe 'protect' some popular packages from typo squatting by reserving some common misspellings. They're a public repository where users upload arbitrary code. The trust relationship really isn't there.
You trust NPM to be secure and serve exactly the code that the author published unmodified.
You trust the author to not act maliciously. Nothing you can really do if a user voluntaitally installs leet-virus.
I think they hold some responsibility in allowing an obviously malicious package to impersonate popular packages.
I would like to see an official response with action plan. I recall this attack vector being discussed in the aftermath of left-pad.
an unfortunate irony is that the current post on the npm blog is "Securing the npm registry" from 12hrs ago.