docs: clarify advisory-driven malware detection limits

[sonukapoor]

Summary

Clarifies how CVE Lite CLI handles malicious package incidents and supply-chain compromises.

This PR updates the README to explain that detection is advisory-driven through OSV/GHSA data. It makes clear that the tool can detect malicious versions found in lockfiles once those versions are represented in the upstream advisory data, but it is not a real-time malware detector or behavioral analysis tool.

Changes

• added a README section explaining malicious package incident detection
• clarified that exact affected versions in lockfiles can be detected once advisory data exists
• noted that malicious transitive packages may also be detected when present in the lockfile and represented upstream
• documented the boundary that detection is not guaranteed before advisory publication/indexing
• reinforced that lockfile-based scans are the strongest path, while package.json fallback remains limited

Why

Recent supply-chain incidents can create the expectation that any scanner should catch malicious packages immediately. This change sets the right expectation without weakening the value of the tool.

CVE Lite CLI is intentionally local-first and lightweight. Its strength is practical lockfile scanning with OSV-backed advisory matching, not pre-publication malware analysis.

Impact

• improves user understanding
• makes limitations explicit and honest
• strengthens trust in project positioning
• helps differentiate the tool clearly and defensibly

Notes

This is a documentation-only change. No scanner behavior was changed in this PR.