Package registrynpm
npm packages, diffed on every published version.
A poisoned npm release can run code at install time, deep in your dependency tree. Extuno diffs each version and runs install hooks in a sandbox - with static, dynamic, and AI analysis on every scan.
npm - live inspectionInspecting
event-stream 3.3.6
npm package
3.3.5->3.3.6npm package
Static
Dynamic
AI
Analyzing update
What Extuno catches in npm
Evidence, not guesswork.
Each finding names the change, why it is dangerous, and the recommended action.
Diff finding
Malicious postinstall
A postinstall script added on update runs code on every install.
Critical
Diff finding
Transitive poisoning
A deep transitive dependency, not your direct one, carries the payload.
Critical
Diff finding
New network on install
The package contacts an external host during installation.
Review
See it on a poisoned update
The payload hides in a transitive dependency
Extuno walks the tree, runs each install hook in a sandbox, and flags the one that beacons out.
- + Vulnerability and secret-leak testing on every version
- + Static analysis reads the package without running it
- + Dynamic sandbox runs it live and records behavior
- + AI code analysis reads the full source and correlates the change against prior versions
your-app
lodash 4.17.21
chalk 5.3.0
build-tools 2.1.0
flatmap-stream 0.1.1postinstall
flatmap-streamnpmjs-cdn.co
Scan your first npm package free.
Your first 5 credits are free - that is 5 full scans, no card required.