2026-07-17
A malicious dependency does not announce itself. It shows up as a version bump in a pull request that looks like every other version bump, and it runs on your CI machine and your developers' laptops the moment someone installs it. The cheapest place to catch it is in the pull request, before it merges.
The Lazaretto scan action checks the packages you depend on and fails the build on a bad verdict. Add it to any workflow:
- uses: jamesdfinance-dev/lazaretto-scan-action@v1
with:
api-key: ${{ secrets.LAZARETTO_API_KEY }}
fail-on: malicious
Leave targets empty and it scans the direct dependencies in your
package.json. Or point it at specific things you are about to vendor:
with:
targets: |
npm_package:some-pkg@1.2.3
github_repo:some-org/some-skill
Gate the job so it only runs when your dependencies actually change, and you pay for a scan only when there is something new to check:
on:
pull_request:
paths: ['package.json', 'package-lock.json']
It fetches each package without running it, checks it against known-bad indicators
refreshed daily, and looks for the usual behavior: credential reads, data exfiltration, obfuscation,
install scripts, prompt injection aimed at an agent. A clear result means no known-bad
match and no rule fired. That is a signal, not a warranty. The full evidence for any verdict is in the
report from the API.
Claim one with three free scans, no signup: curl -s -X POST
https://lazaretto.dev/v1/trial returns a key. Store it as LAZARETTO_API_KEY in your
repo secrets. For more, buy a bundle. See the other posts
for how the verdicts work.
Lazaretto is the pre-install checkpoint agents call themselves. Try it · pricing.