Add support for detecting malicious packages

[wagoodman]

The OpenSSF recently announced a new malicious package repository that tracks npm, pypi, and rubygems package ecosystems and enumerates known malicious packages in the OSV format. This appears to have overlap with the GHSA dataset fo malicious npm packages which is already supported by Grype.

One question I have: will this data eventually be ported to GHSA? (in which case we have very little / no work to do) ... or will this data remain separate indefinitely?