> Malware already waits dormant for years in many different attack vectors

And some malware doesn't wait. Sure, some supply chain attacks like the one in Notepad++ are much more sophisticated, but some untargeted ones (like the recent Cline CLI one) rely on package managers doing thousands of downloads before it's noticed and stopped.