- How to tell if an npm package is malicious before you install it — 2026-07-16
Most malicious npm packages give themselves away if you know where to look: install scripts, credential reads, odd network calls, obfuscation. Here is what to check, and how to automate it.
- Why a scan verdict has to be tied to a hash — 2026-07-16
A scan tells you a package was fine when it was scanned, not when you install it. Binding the verdict to a content hash closes that time-of-check to time-of-use gap.
- SSH keys, cloud creds, wallets: what a malicious agent skill actually steals — 2026-07-14
Malicious AI-agent skills and packages target the same high-value secrets every time. Here is what they go after, how they hide it, and how to check a skill before it runs on a machine full of credentials.
- How to check an MCP server for malware before you add it — 2026-07-14
MCP servers run with real access to your tools and data. Before an agent connects to a third-party one, verify it: a free known-bad lookup and a deterministic scan of the package it ships.
- Pay-per-call verification: how an agent scans a package without an account — 2026-07-14
Lazaretto is priced per call over x402 (USDC on Base), so an autonomous agent can discover the price, pay, and get a scan inline — no signup, no key. Here is how the flow works.
- How to verify a skill or package before your AI agent installs it — 2026-07-14
Autonomous agents install third-party skills, MCP servers, and npm packages on the fly. Here is how to check one for malicious behavior before it runs — with a free known-bad lookup and a deterministic scan.