that's an interesting question. things like sonatype nxrm/iq, jfrog, etc. would flag "known vulns" but a legit repo's code owner making changes wouldn't be detected until flagged. eventually it could be noticed and certain versions marked malicious, but that's not preventing harm...it would seem to need some sort of heuristic/behavioral type approach in a local repo/scanning-type tool e.g. not just comparing to author reputation, repo metadata or known vuln DB but "X percent of code changed" or "changed in X way which has malicious POSSIBILITY (local file overwrite)" etc. to be useful in these cases before analysis.