Package registrynpm

npm packages, diffed on every published version.

A poisoned npm release can run code at install time, deep in your dependency tree. Extuno diffs each version and runs install hooks in a sandbox - with static, dynamic, and AI analysis on every scan.

npm - live inspectionInspecting
event-stream 3.3.6
npm package
3.3.5->3.3.6
Static
Dynamic
AI
Analyzing update
What Extuno catches in npm

Evidence, not guesswork.

Each finding names the change, why it is dangerous, and the recommended action.

Diff finding

Malicious postinstall

A postinstall script added on update runs code on every install.

Critical
Diff finding

Transitive poisoning

A deep transitive dependency, not your direct one, carries the payload.

Critical
Diff finding

New network on install

The package contacts an external host during installation.

Review
See it on a poisoned update

The payload hides in a transitive dependency

Extuno walks the tree, runs each install hook in a sandbox, and flags the one that beacons out.

  • + Vulnerability and secret-leak testing on every version
  • + Static analysis reads the package without running it
  • + Dynamic sandbox runs it live and records behavior
  • + AI code analysis reads the full source and correlates the change against prior versions
your-app
lodash 4.17.21
chalk 5.3.0
build-tools 2.1.0
flatmap-stream 0.1.1postinstall
flatmap-streamnpmjs-cdn.co

Scan your first npm package free.

Your first 5 credits are free - that is 5 full scans, no card required.