Extuno changelog and update history
Extuno changes constantly because the threats do. The malicious-extension and package dataset refreshes daily, the static rule packs grow as new attack techniques appear, and ecosystem coverage widens over time.
What changes on a daily cadence?
The malicious database of known-bad extensions and packages refreshes daily. New confirmed-malicious identifiers, removed-from-store listings, and update-channel compromises are pulled in and reconciled, so a lookup reflects recent activity rather than a stale snapshot.
When a known-bad identifier is added, every scan and every monitored extension benefits immediately. You do not re-run anything by hand. If an extension you already scanned later appears in the dataset, the next monitoring check flags it. The daily refresh is the part of Extuno that moves fastest because store takedowns and supply-chain incidents happen on a daily clock.
How do the static rule packs grow?
Extuno ships 1100+ static rules today, including 1000+ secret and API-key detectors. New rules are added as fresh malware behavior, obfuscation techniques, and dangerous permission combinations appear in the wild. Each rule is anchored to a precise signature to keep false positives near zero.
Rule additions are grouped into packs by category: malware behavior, leaked secrets, dangerous permissions, and obfuscation. You can browse the live counts on the detection rules page. Because detection is data-driven, the catalog grows by adding pack entries, not by changing the scoring engine, so existing findings stay stable and explainable.
When does ecosystem coverage expand?
Extuno covers 12 ecosystems: Chrome, Firefox, VS Code, JetBrains, Eclipse, Discord client mods, npm, PyPI, WordPress, Composer, and Maven. Coverage expands when a new source is wired into acquisition, static analysis, and the dynamic sandbox. Each ecosystem gets its own format handling and, where the runtime allows, instrumented execution in the microVM.
Package sources like npm and PyPI get install-script and import-time analysis because that is where their real risk lives. Browser sources get popup and options-page screenshots plus background-network capture. New ecosystem support is announced here when it lands.
What stays constant across every release?
Two commitments do not change between releases. First, every finding carries evidence: the file, the line, why it is dangerous, and the recommended action. A bare risk number is never acceptable. Second, detection updates are checked against a labeled corpus so precision and recall do not regress when new rules ship.
The headline capability also stays put across releases: version-diffing compares an update against the prior version and flags a benign-to-dangerous escalation. That is how Extuno catches an extension or package poisoned through its update channel. Read the full approach on the methodology page.
Recent entries
These entries are representative of the kinds of changes that ship. Specific third-party version numbers are intentionally omitted to keep the record honest and high-level.
- 2026-06 Dataset refresh cadence confirmed at daily across all browser and package sources; removed-from-store listings now reconciled on each pass.
- 2026-06 Secret-detector pack expanded; new anchored patterns for cloud, CI/CD, messaging, and AI provider keys, all fixture-tested for zero false positives.
- 2026-06 Dynamic sandbox extended to instrumented package install and import paths for npm, PyPI, WordPress, Composer, and Maven; network endpoints and captured payloads recorded in the trace.
- 2026-06 CI/CD output hardened: SARIF and JSON results with a configurable pass or fail gate for pipelines. See CI/CD scanning.
{
"event": "dataset.refresh",
"source": "malicious-db",
"cadence": "daily",
"added": 412,
"removed_from_store": 73,
"ecosystems": ["chrome","firefox","npm","pypi"],
"as_of": "2026-06-29T00:00:00Z"
}Frequently asked questions
How often does the malicious-extension dataset update?
Daily. New confirmed-malicious identifiers, store removals, and update-channel compromises are pulled in and reconciled once per day. Any scan or monitored extension reflects the latest dataset automatically without a manual re-run.
How many detection rules does Extuno have?
Extuno ships 1100+ static rules, including 1000+ detectors for leaked secrets and API keys. The catalog grows continuously as new malware behavior and obfuscation techniques appear. Live counts are shown on the detection rules page.
Will new rules change my existing scan results?
Detection is data-driven, so adding rules does not alter the scoring engine. Updates are validated against a labeled corpus to keep precision and recall from regressing, which keeps existing findings stable and explainable across releases.
Do new ecosystems get added over time?
Yes. Extuno currently covers 12 ecosystems: Chrome, Firefox, VS Code, JetBrains, Eclipse, Discord client mods, npm, PyPI, WordPress, Composer, and Maven. When a new source is wired into acquisition, static analysis, and the dynamic sandbox, it is announced on this page.
Are version numbers of scanned software listed here?
No. This page tracks Extuno's own changes at a high level. Specific third-party software version numbers are not invented or listed. Per-finding evidence, including the exact file and line, lives in each scan report instead.