Sorry, I just saw this! We actively monitor each open source repository and as packages are published, we pull them down and analyze each line of code and any associated metadata. We also pull as much information as we can get from VCS platforms like Github and Gitlab. We then run some heuristics, analytics, and ML models over this data to make a determination of whether or not something is malicious. I should stress that this process is fully automated, it's just not tenable to do this work at this scale manually. Today we process about 2-3M files each day, across 30-50k packages. It's pretty crazy how many attacks are going on every single day.