Still is a good indicator, as you can assume that if some bug was exploited a long time ago, it’s very likely to continue to be exploited in the present / until it is fixed.
Also, if an attacker exploited this bug to upload a patched version N+1 after a legitimate version N was published, there's a good chance that the legitimate developer would eventually also try to release version N+1, and NPM would report the clash to them.
An attacker would have to get very lucky, exploiting this bug just up until the point when the logs started (which they had no way to predict), and to target only packages which have either never been updated since, or which were followed by a minor/major package update (not a patch).
I'd say npm itself probably use npm packages internally? What if they were already compromised through this flaw to avoid these red flags from popping up?
The attacker might be monitoring their logs, selectively silencing version clashes. Heck, it's even possible they now have backdoor access to do whatever they want to any package.
I know it's cynical thinking, but this vulnerability was unbelievable and the way they're handling is definitely not reassuring, from my personal standpoint.
