no, the solution is not to pay someone to have someone to blame if shit happens.
there are a bus load of people involved on the way from a git repo to actuall stuff running on a machine and everyone in that chain is responsible to have an eye on what stuff they are building/packaging/installing/running and if something seems off, it’s their responsibility to investigate and communicate with each other.
attacks like this will not be solved by paying someone to read source code, because the code in the repo might not be what is going to run on a machine or might look absolutely fine in a vacuum or will be altered by some other part in the chain. and even if you have dedicated code readers, you cant be sure that they are not compromised or that their findings will reach the people running/packaging/depending on the software.
check your contract, you might not own the code and your organization may have a process to determine how to license something.
to your other questions (IANAL)