Learned the hard way. I got an email from a person trying to take over one of my NPM packages on November 16th. I didn't see the email until today (I don't check email very often), and NPM had already transferred the package to the third party on December 15th without my consent.
Turns out, it's laid out in the NPM policy. You have exactly 4 weeks to respond to a takeover request, or you lose the package: https://www.npmjs.com/policies/disputes
Now I've set up a canned response in Gmail to automatically respond to NPM support if they try to do it again. Maybe that will help. Makes me very nervous about my other packages though.
Seems like a pretty good attack vector for hackers.