StepSecurity has launched Secure Registry, an authenticated proxy registry that enforces security controls at npm install time rather than at PR review. It addresses the gap where malicious packages can be installed before scanners flag them — as demonstrated by the Mini Shai-Hulud worm that compromised @tanstack packages with valid SLSA attestations. The core feature is a configurable Cooldown Period (default 10 days) that blocks newly published packages until the community has had time to vet them. Two more controls are coming: Compromised Packages blocking and Typosquatting Protection. It integrates with JFrog Artifactory, Google Artifact Registry, or direct .npmrc config, and complements existing PR-stage scanning rather than replacing it. Available now for Enterprise customers with a 14-day trial option.
Table of contents
Why install-time enforcement mattersHow it worksSecurity controls at launchHow Secure Registry compares to GitHub ChecksAvailabilitySort: