For us, this was a very fast 0-60 project meant to help people quickly identify if they were breached by the LiteLLM supply chain attack (with other detection support). That's part of the reason our tool runs recursive checks, so developers can go to their e.g. ~/source directory and quickly see if they were pwned.
We've had almost zero false-positives with the AI detection in our configuration -- granted we haven't had a whole lot of testing given the short timeframe we started in, so take this with a grain of salt
It has a 2-part process. First, it does a simple depencency check against Google's OSV, then there's a supply chain check that requires an AI key. This secondary check uses code signature checks to identify files that have "risky" behavior (e.g. eval, lots of encoded code etc) and passes that to an AI to identify whether it's likely malicious code hidden behind the "risky" behavior.
We've had almost zero false-positives with the AI detection in our configuration -- granted we haven't had a whole lot of testing given the short timeframe we started in, so take this with a grain of salt
Disclaimer: I work on this code