There are a few ways you might find out that your router (or some other device on your network) has been compromised. Your ISP may tell you, as they see your outgoing traffic.
For example, earlier this year my QNAP NAS got infected by the VPNFilter malware, even though I kept its firmware up to date (within 1 month, anyway). Comcast started injecting a warning (once every 3 days) into my browsing, telling me that some device in my home was infected by VPNFilter, but of course they don't know which device it is. I was able to determine which device it was by reading Cisco's Talos blog about VPNFilter, where they said the malware periodically tries to read from a photobucket.com (!) gallery (obviously this gallery has long since been taken down). Probably Comcast's malware alert goes off if any customer tries to open that particular photobucket gallery.
I turned on deep packet inspection on my router to see which, if any device was going to photobucket, and sure enough, my NAS was periodically checking it. It turns out the QNAP NAS does not come with its built-in malware remover actually installed, but once I installed and ran it, it found and removed the malware.
At home I keep all my internet of things (cameras, etc.), including the above QNAP NAS, on a separate VLAN, so they can't get at the home network.
I was worried my Netgear R7000 (running Shibby Tomato firmware, which has been abandoned) might have been compromised too, so I switched to a Unifi security gateway, as I had already switched most of my gear to Unifi (access points, switch). I really like Unifi's seamless roaming between access points, and the single pane of glass UI for monitoring the entire system.