In the somewhat longer history of CPAN, this has not happened, so I don't see any immediate cause for frantic action. I think most CPAN authors simply are more mature than the Node.js developer and won't cause havoc by removing a module used wide and far/with a long CPAN river downstream.
A more paranoid CPAN client can also be setup to only accept a predefined set of authors' keys. This can mitigate the issue of another previously unknown PAUSE author trying to push an update to existing module.
If you're using Perl and CPAN in a commercial setting, you do well by running your own, private CPAN and selectively importing modules into that private repository.