Since old code is under a very permissive license, then the new owner could create v0.0.4 add code and make the new version closed with a restrictive license.
This is where a license like GPL would benefit overall, since all future code requires to be under the same license.
Either way, it seems like a dangerous policy to allow someone to re-own a previous owned and published module. Licensing is not the real threat but malicious code that potentially could be deployed.
The WTFPL licensing comes from the package.json file, which is in the GitHub repo.
I guess this is why debian takes licenses so serious.