How would you identify "security researchers" and tell them apart from the attacker in a trench coat?

After you've done that, why would these supposedly expert security researchers review random code in your package manager?