Lazaretto · blog

Why a scan verdict has to be tied to a hash

2026-07-16

A scan tells you a package was fine when it was scanned. That is not the same as the package being fine when you install it. The gap between those two moments is where a lot of attacks live, and it has a name: time of check to time of use (TOCTOU).

The problem

Say a registry serves one version to the scanner and a different one to you. Or the package gets republished between the scan and your install. The verdict you trusted was about bytes you never actually received.

The fix: bind the verdict to a hash

Lazaretto hashes exactly what it analyzed and puts that hash in the report. After you install, you re-hash what actually landed on disk and compare. If they match, the verdict is about the real thing. If they do not, treat it as unscanned and do not run it.

node lazaretto-verify.mjs verify ./node_modules/some-pkg "sha256:9a3c..."
#   exit 0 = match; exit 1 = MISMATCH (treat as unscanned)

It is a small step that closes a real hole. A verdict with no hash behind it is a claim you cannot check. More in the other posts.


Lazaretto is the pre-install checkpoint agents call themselves. Try it · pricing.