Their analysis was triggered by open source projects upgrading en-masse and revealing a new anomalous endpoint, so, it does require some pioneers to take the arrows. They didn't spot the problem entirely via static analysis, although with hindsight they could have done (missing GitHub attestation).

The fact threat researchers and especially their automated agents are not all that good at their jobs

> What do you base that on?

The entire history of malware lol