Malicious code in claw_messenger (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b621afa50fe31026a12750b83eeb309366f95b07a9e0c5095d3e862f0007b70f The postinstall lifecycle script in dist/postinstall.js spawns two detached, hidden child processes during npm install. 1 spawn'npm', 'install', '-g'...

@_mustachio/ai-review-agent (>=1.4.1 <=1.5.0), @antaif3ng/til-work (=0.6.0) +51 more potentially affected by CVE-2026-22813 via opencode-ai (>=0.14.7 <=1.15.13)

opencode-ai NPM version =0.14.7, =1.4.1, =1.19.0-beta.3, =1.19.0-beta.2, =0.1.1, =0.1.0, =0.17.0, =2.4.0-canary.0ba816b, =1.0.0, =1.1.0, =0.0.1, =0.0.26 and more Source cves: CVE-2026-22813 Source advisory: OSV:GHSA-C83V-7274-4VGP...

@circleci/agents (>=2.4.0-canary.0ba816b <=2.17.2-canary.ea22b4e), @lfades/next-code (>=0.0.1 <=0.0.2) +2 more potentially affected by CVE-2026-22812 via opencode-ai (>=0.14.7 <=1.0.123)

opencode-ai NPM version =0.14.7, =2.4.0-canary.0ba816b, =0.0.1, =0.1.0, =0.1.9, =0.5.7 Source cves: CVE-2026-22812 Source advisory: OSV:GHSA-VXW4-WV6M-9HHH...