Yes to the you guys can detect it in my codebase, but it's generally not required for someone to report a compromised package, we do also discover them ourselves quite fast due to automated scans of npm package updates. This is how aikido was first to discover the previous supply chain hack.

The easiest way for you to use our product to be protected is actually using one of our free open source tools. https://www.npmjs.com/package/@aikidosec/safe-chain

This is a wrapper around npm etc that will prevent you from installing malware