Packages are signed, unless they're infected at the source, you can't attach/embed malware in them enroute to your machine. Upstream could insert much more incidious things into a package then malware. Scanning for malware is only going to help you find known pieces of malware with known signautres. Its not going to magically be able to detect any bit of malicious code. That is simply an impossible proposition, making scanning for malware a ineffective and virutally useless technique. Basically its comes down to trust. If you can't trust the repos, don't use them.
