This is essentially what some 3rd party vendors do, which is why supply chain malware is typically found in hours now and not weeks.

The reason why npmjs, pypy and other public registries don't do this is because it would likely 10x+ the cost of their infrastructure while not bringing in much new revenue. It's also potentially orthogonal to paint customers needs since it could likely lead to downtime or at least block new releases going out