We've had a lot of interest in this thesis. We were a little less defensive this time given that the author made clear that several major package managers are vulnerable in the same way.
We delete typo-squatting when it is brought to our attention. Usually this happens when somebody else wants to use the name, in which case our support team will transfer the empty package to them. Sometimes people will notice a single user squatting a large number of names, and then we'll delete them, but the registry is too big and our support team too small to do this all the time. We do not automate removal of squatting because it's too easy to game: whatever you decide is the rule to be a "real" package, somebody will create a package that meets that and use it to squat on things.
As for the security risk, it is pretty small. The ~600 installs he counted over several days from npm represent just 0.02% of the number of installation sessions npm records