GitRoyalty just hosts a git remote repository that you pay to get access to. NPM and almost all other package managers support installing from git URLs, and too many people rely on this functionality for it to ever be removed.
How do you stop someone from forking the project on GitHub, adding in a manifest, and then pushing to a package repository like npm?
Is there a risk of popular projects that are distributed through GitRoyalty having unofficial versions with malicious code on the package repositories, similar to now typo-squatting works?
There are a few reasons to not rely on unofficial forks. The chance of malicious code is one. Also: unwanted changes, missing updates, maintenance confusion...
These issues already exist in the world of open source, as you note, and the only way that I know of to stop it would be to have a more restrictive license (and to pursue any violations).
Is there a risk of popular projects that are distributed through GitRoyalty having unofficial versions with malicious code on the package repositories, similar to now typo-squatting works?