Tolga SEZER, security researcher at Extuno
Tolga SEZER researches how browser extensions and developer packages get compromised, and writes the Extuno blog to turn those findings into practical guidance for security and engineering teams.
Who is Tolga SEZER?
Tolga SEZER is a security researcher at Extuno. His work centers on the software supply chain that most security programs still treat as a blind spot: the browser extensions employees install and the third-party packages developers pull into their builds. Both run with real privilege, both update through channels outside your control, and both are routinely abused to move malicious code onto endpoints and into pipelines.
His research spans the eight ecosystems Extuno analyzes - browser extensions for Chrome, Firefox, VS Code, JetBrains, and Eclipse, Discord client modifications, and the npm and PyPI registries. Rather than treating each as a separate problem, he looks at the patterns they share: privilege requested at install, code that arrives later through an update, secrets left behind in shipped artifacts, and behavior that only appears at runtime. You can follow that work on the Extuno blog, and read how the platform turns it into checks on the methodology page.
What does he research?
The throughline of Tolga's research is the gap between what a package looks like at review time and what it does after it is installed and updated. A few areas he covers in depth:
- Browser extension security. Permission abuse, content-script injection, and the manifest and capability signals that separate a legitimate tool from one built to harvest data. See browser extension security.
- Update-channel compromise. How a benign, already-trusted extension or package can turn malicious through its update channel, and why comparing versions is the signal that catches it. See version diffing and supply-chain attacks.
- Secret detection. Credentials, tokens, and private keys left in shipped bundles, including values that only surface at runtime. See secret leak detection.
- Package registry threats. Typosquatting, dependency confusion, and install-time code execution across npm and PyPI.
Documented, real-world examples that match these patterns are catalogued in the public malicious database.
How does the research become detection?
Research only matters if it ends up as a check that runs on every scan. Tolga's findings feed three analysis layers that Extuno applies together so a single technique has to evade more than one of them. Static analysis reads the code and manifest without executing them, applying over 1100 rules and more than 1000 secret detectors to flag dangerous capabilities and leaked credentials - see static analysis and the published detection rules. Dynamic analysis runs the artifact in a network-segmented sandbox to capture the network destinations, file access, and command execution that static review cannot see - see the dynamic sandbox. And version diffing compares each release against the last one so a malicious change introduced through an update is caught even when the prior version was clean.
Every finding carries evidence - the file, the line, the matched value, and why it is dangerous - so a result is something a team can act on rather than an opaque score. The broader approach is laid out in the package security and supply-chain security guides.
Where to read his work
Tolga writes the Extuno blog, where new research is published as evergreen, practical articles for security engineers, application security teams, and developers who own their dependency and extension risk. The articles favor concrete patterns and reproducible reasoning over scare statistics, and they link back to the underlying detection so you can see exactly how a claim is checked.
If you want the mechanics behind the writing, start with the methodology page for how scans are run and scored, then the detection rules for the specific checks. For a working catalogue of real documented threats across ecosystems, the malicious database is updated from public feeds.
Frequently asked questions
What does Tolga SEZER do at Extuno?
He is a security researcher at Extuno. He studies how browser extensions and developer packages are compromised across the eight ecosystems Extuno analyzes, and he writes the Extuno blog so those findings become practical guidance and detection checks.
What topics does he write about?
Browser extension and developer package supply-chain security, static and dynamic analysis, secret detection, update-channel compromise caught through version diffing, and registry threats such as typosquatting and dependency confusion across npm and PyPI.
Where can I read his articles?
On the Extuno blog. Each article links back to the relevant detection - static analysis, the dynamic sandbox, version diffing, or secret detection - and to the methodology page that describes how scans are run and scored.