It also seems weird that people are only scanning code that breaks?

I have 0 cred in anything security, so maybe i'm just missing a bigger picture thing, but like...if you told me i had to make some sort of malicious NPM package and get people to use it, i'd probably just find something that works, copy the code, put in some stylistic changes, and then bury my malicious code in there?

This seems so obvious that I question if the OP is correct in stating people aren't looking for that, or maybe I misunderstand what they mean because i'm ignorant?