Package registryMaven

Maven artifacts, scanned at the bytecode level.

A malicious Maven JAR ships JVM bytecode, not source - so Extuno scans the .class constant pool for dangerous APIs: process execution, remote class-loading, script engines, and credential reads that flow to the network. Static and AI analysis on every scan.

Maven - live inspectionInspecting
com.google.code.gson:gson 2.14
maven artifact
2.13->2.14
Static
Dynamic
AI
Analyzing update
What Extuno catches in Maven

Evidence, not guesswork.

Each finding names the change, why it is dangerous, and the recommended action.

Diff finding

Runtime.exec on load

A static initializer spawns a shell when the class is loaded.

Critical
Diff finding

Credential exfiltration

Bytecode reads an env credential and opens a network connection.

Critical
Diff finding

Remote class-loading

URLClassLoader.addURL pulls code from a remote URL.

Review
See it on a poisoned update

Malicious bytecode, read without running it

Extuno scans the .class constant pool and flags the process-exec and the credential-to-network flow.

  • + Vulnerability and secret-leak testing on every version
  • + Static analysis reads the package without running it
  • + Dynamic sandbox runs it live and records behavior
  • + AI code analysis reads the full source and correlates the change against prior versions
your-service
com.google.code.gson:gson 2.14
org.apache.commons:commons-lang3 3.15
org.slf4j:slf4j-api 2.0
org.acme:json-util 1.4.2static-init
org.acme:json-utilmaven-metrics.co

Scan your first Maven package free.

Your first 5 credits are free - that is 5 full scans, no card required.