I have googled and searched on stack overflow but have found no clear answer to this. What steps do sites like github and bitbucket take to ensure that public repositories are safe and free of malware? It has only just occurred to me how blindly I will follow online tutorials/guides and run git clone commands from sources I do not know or understand.
Is there reason to think this is a safe process? Have I been ignorant at best and recklessly stupid at worst in not researching this before?
This also raises maybe a bigger question where a package will install various other packages that are dependencies - is this cause for even more concern or is there a clear audit/security trail that I can follow?
Apologies if I'm missing something obvious!
You've come upon a general problem on the Internet, which is this: how do companies that allow the general public to post arbitrary content determine that the content is suitable, for some value of suitable? The answer is that, in the general case, you cannot predetermine that content is suitable in this way. (For computer programs, that's because of the halting problem.)
GitHub does offer the ability to scan for known vulnerabilities in certain languages, but for the obvious reason, viewing that is limited to the administrators of the repository. Otherwise, the general approach is to take down actually malicious content when it becomes noticeable, which is really the best that can be done given the circumstances.
If you get your code from a trusted source, like a Linux distro, it's probably from a reputable project that's safe to run. Otherwise, you may choose not to run code from unknown authors, or to prefer to check the dependencies installed by your language's package manager to ensure you're only using well-known packages by trusted members of the community. Of course, that will only help protect you from actual malicious software, not reputable software that just happens to have security bugs; for that, you should apply security updates frequently.