I always thought this would be the ideal monetization path for NPM; enterprises pay them, NPM only supplies verified package releases, ideally delayed by hours/days after release so that anything that slips through the cracks has a chance to get caught.

Enterprises today typically use a custom registry, which can include any desired amount of scans and rigorous controls.

That would put them into liability or be a quite worthless agreement taking no responsibility.