Package registryMaven
Maven artifacts, scanned at the bytecode level.
A malicious Maven JAR ships JVM bytecode, not source - so Extuno scans the .class constant pool for dangerous APIs: process execution, remote class-loading, script engines, and credential reads that flow to the network. Static and AI analysis on every scan.
Maven - live inspectionInspecting
com.google.code.gson:gson 2.14
maven artifact
2.13->2.14maven artifact
Static
Dynamic
AI
Analyzing update
What Extuno catches in Maven
Evidence, not guesswork.
Each finding names the change, why it is dangerous, and the recommended action.
Diff finding
Runtime.exec on load
A static initializer spawns a shell when the class is loaded.
Critical
Diff finding
Credential exfiltration
Bytecode reads an env credential and opens a network connection.
Critical
Diff finding
Remote class-loading
URLClassLoader.addURL pulls code from a remote URL.
Review
See it on a poisoned update
Malicious bytecode, read without running it
Extuno scans the .class constant pool and flags the process-exec and the credential-to-network flow.
- + Vulnerability and secret-leak testing on every version
- + Static analysis reads the package without running it
- + Dynamic sandbox runs it live and records behavior
- + AI code analysis reads the full source and correlates the change against prior versions
your-service
com.google.code.gson:gson 2.14
org.apache.commons:commons-lang3 3.15
org.slf4j:slf4j-api 2.0
org.acme:json-util 1.4.2static-init
org.acme:json-utilmaven-metrics.co
Scan your first Maven package free.
Your first 5 credits are free - that is 5 full scans, no card required.