Staged Publishing With Out-of-Band 2FA for Registries
P7/10May 11, 2026
WhatA registry-level service that adds a mandatory human approval step with a second factor outside CI/CD before any package version goes live, bridging the security gap that Trusted Publishing introduced.
SignalTrusted Publishing removed the local 2FA gate on npm publish in favor of CI/CD convenience, which means anyone who compromises the pipeline can publish freely — developers are asking for staged publishing with a true second factor outside the GitHub trust boundary.
Why NowTrusted Publishing adoption is accelerating across npm, PyPI, and RubyGems, but none of their documentation even mentions release gates or manual approvals, creating a systemic blind spot that attackers are now actively exploiting.
MarketOpen source maintainers and enterprise teams publishing to npm/PyPI/Cargo — could be a paid add-on or standalone SaaS. Key gap: npm has no native staged publishing. Competitors like Sigstore focus on provenance, not approval workflows. TAM $500M+ within broader DevSecOps.
MoatIntegration depth with registries and CI/CD platforms creates high switching costs once teams wire their release processes through it.
Real-Time Supply Chain Attack Detection for Package RegistriesP7/10A continuous monitoring platform that detects malicious code injection in npm/PyPI/Cargo packages within minutes of publication by analyzing diffs, behavioral signatures, and CI/CD pipeline anomalies.
Dependency Quarantine and Time-Delay Update Enforcement ToolC6/10A developer tool that enforces configurable minimum release age policies across npm/yarn/pnpm uniformly, quarantining new package versions and alerting teams before any bleeding-edge dependency enters their build.
CI/CD Pipeline Integrity Monitor and Tamper DetectionC7/10An agent that runs inside CI/CD environments to detect unauthorized modifications to build scripts, secret exfiltration attempts, and persistence mechanisms like the dead-man's-switch malware seen in this attack.
AI Architecture Enforcer for Codebase ConsistencyP6/10A tool that lets developers define software architecture constraints upfront and continuously enforces them as AI agents generate code across sessions.
AI-Powered Architecture Review Before Code GenerationC6/10A pre-coding design tool that forces developers to specify concrete interfaces, message types, and ownership rules in a structured format before any AI code generation begins, then validates generated code against the spec.
Codified Developer Persona Agents for AI CodingC5/10A platform that lets developers encode their design preferences, coding standards, and architectural decision-making style into persistent AI agent personas that maintain consistency without requiring the developer in the loop.