Many security_advisory.published failing webhook events originating from similar npm packages

[robase]

My github org is currently receiving many webhooks of the security_advisory.published type. My understanding is that these advisories are general in nature and are not necessarily received due to a specific package being used within an org (please correct me if wrong).

The reason I'm raising this is that there appear to be many junk malware type advisories being pushed out through the database:

see: https://github.com/advisories?query=type%3Amalware

example advisory: https://github.com/advisories/GHSA-hh4g-p2q6-7fvj

These advisories would need to be reviewed before being sent out, is that correct? An interesting note is that these events are also all failing the X-Hub-Signature-256 check for the github app installed in my org receiving the webhook events