We report them when we find them (to Github, PyPI, NPM, etc). Unfortunately the process on the other side isn't super quick. For example, we reported some malware to NPM on Dec 31, 2022 and received an email from them stating they were starting their investigation on Jan 9, 2023. The people responsible for removal are simply inundated with malware reports.
For GitHub, they just seem to be a bit more careful in what they remove. Malware (and other security related code) _can_ be used for educational purposes. As such, they aren't as quick to nuke this stuff from the site.
See their acceptable use policy:
> Note that GitHub allows dual-use content and supports the posting of content that is used for research into vulnerabilities, malware, or exploits, as the publication and distribution of such content has educational value and provides a net benefit to the security community. We assume positive intention and use of these projects to promote and drive improvements across the ecosystem.
