Keep watching extensions after you approve them
An extension that was clean at install can turn malicious through its next update. Extuno tracks each item you care about, re-scans it the moment a new version ships, and tells you when the behavior changes.
Why does an extension need watching after it passes review?
Approval is a point-in-time decision. The code you reviewed is not the code that runs after the next auto-update. An attacker who buys, phishes, or breaches a publisher can push a poisoned version through the same update channel users already trust, and it lands silently across every install.
Continuous monitoring closes that gap. Instead of scanning once and forgetting, Extuno keeps a watchlist of the extensions and packages you depend on across all 8 supported ecosystems and re-evaluates each one whenever the publisher ships a change. The first clean scan is the baseline, not the conclusion.
How does Extuno decide when to re-scan?
Extuno checks the published version on a frequency you choose per item: hourly, every six hours, daily, or weekly. The check is a cheap version probe against the store or registry. It does not download or re-analyze the package unless the version string has actually moved past the recorded baseline.
When nothing changed, nothing runs and nothing is charged. When the version does change, Extuno pulls the new package and runs the full pipeline: static analysis over 1100+ rules, the dynamic sandbox, and AI code analysis. This change-triggered model means you re-scan exactly the updates that matter and skip the noise of fixed re-scan cadences.
What does Extuno diff between versions?
Every monitored re-scan is compared against the prior version. Version-diffing is the core supply-chain signal: it flags a benign-to-dangerous escalation across an update rather than judging the new build in isolation.
The diff surfaces newly added dangerous permissions, broadened host access, a changed or self-hosted update URL, a weakened content security policy, new code-execution paths, and new network endpoints or messaging-bot exfiltration channels that were absent in the previous release. A version that quietly starts beaconing after an update is precisely the pattern this catches. Read more on how update-channel attacks work.
When does monitoring raise an alert?
Monitoring is quiet by design. It alerts on two conditions. The first is a risk-band escalation: the new version crosses into a higher severity band than the version you last accepted, for example moving from review to high or critical. The second is a takedown: the extension or package was removed or disabled from its store, which often means the publisher or store acted on abuse.
Each alert carries the from-version and to-version, the band change, and a link to the full evidence-backed scan, so you can see the file, the line, and why the new behavior is dangerous before you decide to pin, roll back, or remove.
How does monitoring fit the rest of the platform?
A monitor is owned by the person who created it and re-scans only on a real version change, so the workflow stays predictable. Confirmed-malicious results feed the malicious database, and you can cross-check any id you watch against known-bad entries.
For build pipelines, the same engine backs CI/CD scanning with SARIF output and a pass/fail gate, so a dependency that turns malicious can block a merge the same way a fresh leak does. Continuous monitoring covers the post-approval window; the gate covers the pre-merge window.
{
"alert": "band_escalation",
"ecosystem": "chrome",
"extension": "pdf-toolbox-pro",
"from_version": "4.2.1",
"to_version": "4.3.0",
"from_band": "review",
"to_band": "critical",
"new_signals": [
"host_permissions broadened to <all_urls>",
"new endpoint: telegram bot sendMessage",
"cookie read flows to network sink"
],
"scan_url": "/app/scans/9f3c2a"
}Frequently asked questions
Does monitoring re-scan on a fixed schedule?
No. Extuno probes the published version on your chosen frequency, but it only runs a full re-scan when the version actually changes from the recorded baseline. A version that has not moved is left alone, so you are not paying for or sifting through redundant scans of unchanged code.
What gets analyzed when a new version is detected?
The complete pipeline runs on the new build: static analysis across 1100+ rules including 1000+ secret detectors, the network-segmented microVM sandbox that records contacted endpoints and sent data, and AI code analysis. The result is then version-diffed against the prior release to flag any escalation in behavior.
How is a band escalation different from just a high risk score?
A band escalation is relative. It fires when the new version crosses into a higher severity band than the version you previously accepted, which is the supply-chain signal. A package that was always high stays high without re-alerting; the alert is about the change in posture across an update.
What happens if a watched extension is removed from its store?
Extuno raises a takedown alert when the version probe finds the item removed or disabled at its source. A store removal frequently indicates the publisher or the store responded to abuse, so it is a signal worth acting on even before a code-level finding is available.
Which ecosystems can I monitor?
All 8 supported ecosystems: Chrome, Firefox, VS Code, JetBrains, Eclipse, Discord client mods, npm, PyPI, WordPress, Composer, and Maven. You can watch published extensions and packages by their store or registry id, and a pinned package version that never changes simply never triggers a re-scan.