If it’s something that is not very popular/known I do actually look at the code, but never all of it.

I check:

• most recent commits
• for something that might have been hidden before one of the releases
• deeper into utility files
• look for suspicious patterns in code that might be trying to hide something. Mostly for/in external network call related code

This is of course very superficial and in general I try to avoid obscure projects that are not popular and well known.