JFrog says six malicious npm packages used hidden install-time execution, JSONKeeper fetches, and sandbox checks to enable remote access.
import { runAgent, AgentToolCalls, OpenAITokens } from "@workit/core/ai"; import { CostBudget, run } from "@workit/core"; const { result, events } = await runAgent ...