Highly obfuscated code would raise suspicions, especially in similar cases found in NPM packages.
E.g. in Python, obfuscators I've come across tend to replace characters with non-Latin unicode chars, which should raise flags when found in a predominatenly latin based source code.
I agree, it's no where near bulletproof, but it's about raising barriers as well as updating the tool once workarounds are found. I don't see an easy solution to this issue but in most of the cases (including the ones in this article) I've seen to date, a simple URL scan would've caught them let alone more complex methods.
Not very much. You just obfuscate your code until this tool doesn't notice anything untoward, and then upload it.