Malicious packages aren’t just found because someone gets pwned, there are organizations out there proactively scanning for this stuff.