SECURE Registry, StepSecurity’s install-time defence for the npm supply chain, sits as an authenticated upstream registry that evaluates every npm metadata request and tarball download against configured security controls before it reaches developers, CI runners, or artifact managers.
The feature, announced in a post on 12 May 2026, follows a campaign by the TeamPCP threat group that published malicious versions of several @tanstack npm packages, a self-propagating worm that steals CI/CD credentials and uses them to publish infected versions across maintained packages. The worm, Mini Shai-Hulud, is noted to have caused the compromised packages to carry valid SLSA Build Level 3 provenance attestations, marking it as the first documented npm worm with legitimately attested malicious packages.
Secure Registry is designed to block or modify requests at install time, providing protection for CI, developer machines, and artifact managers, and it includes a three-step setup flow with integration options for JFrog Artifactory, Google Artifact Registry, or direct .npmrc configuration. It is available today for Enterprise customers, with npm support generally available and PyPI support coming soon, and ships with a first control called Cooldown Period, configurable by default at 10 days.