There are 3 categories of predictors that the model takes into account, here are some examples: (1) The code complexity, and its perceptual hash. (2) The author and their track record in the repository. (3) The author's past involvement in the specific files being modified.

With that said, an adversarial from somebody within the team/organisation would be very difficult to detect.