Every decent malware author just adds tools like these to their test suites, and only release new malware that evades all detection.

That game of cat and mouse never ends.

The only solution is just actually reviewing the code we ship to our customers. Yes, even the code we copied off the internet with a magic "npm install" command.