Does the Snyk vulnerability database contain malicious packages or only known vulnerabilities ?