So first they steal all code and launder it without attribution. Then they release a tool that doesn't find anything in hardened projects and is marketed through secrecy and modern equivalents of Netcraft like this British AI institute.

Then open source projects need a McKinsey-like stamp of approval to even be released.

Sounds like there are many parasites in this process.

You know that open source users are free to scan everything if they want to?