Companies such as socket and safedep will still scan new packages and alert on malware (if they are able to detect it) so the packages are taken down before they pass your cool down

Less well maybe but yes. Security researchers still proactively test them, and the maintainer has a much better chance of catching it themselves.