FAQ

Answers, in plain terms.

Common questions about what Extuno detects, how it scans, and how to start.

What does Extuno actually detect?
Extuno catches supply-chain risk in browser extensions and developer packages - especially a clean version that turns malicious through an update. It diffs each version against the one before it and reports the exact change, why it is dangerous, and the recommended action.
Which ecosystems are covered?
Eight: Chrome and Firefox extensions; VS Code, JetBrains, and Eclipse plugins; Discord client mods; and npm, PyPI, WordPress, Composer, and Maven packages. Every result uses the same evidence format.
What are the three scan layers?
Static analysis reads the code without running it, using 1100+ rules. The dynamic sandbox runs the real artifact live in a network-segmented micro-VM and records its behavior. AI analysis reads the full source of every version, correlates both, and flags anomalies against the package's own history.
How is the free trial structured?
Your first 5 credits are free - that is 5 full scans, no card required. One credit runs one scan, including static, dynamic, and AI analysis with full evidence.
Does the browser companion cost anything?
No. The companion is free. It scans installed extensions, runs a server-side deep scan, and blocks malicious sites, trackers, miners, phishing, and dangerous downloads.
Can Extuno run in CI?
Yes. The CI gate runs 1000+ anchored secret detectors with SARIF output and a pass/fail check on every pull request, with git-history and baseline support for GitHub and GitLab.
Is a Chrome extension I installed safe?
Open Extuno or the free browser companion. It checks each installed extension against the threat database and a known-malicious catalog and runs a live deep scan of the published package, returning a clean, suspicious, or malicious verdict with the evidence behind it. A popular, long-standing extension is still worth checking, because the danger is often a later update, not the first release.
Which browser extension permissions are risky?
Broad host access (all sites), cookies, scripting, webRequest, debugger, nativeMessaging, and proxy give an extension deep reach into pages, sessions, and network traffic. Extuno maps the permissions an extension requests against the ones it actually uses at runtime and flags dangerous combinations. See our guide on browser extension permissions.
How do you scan an npm package?
Extuno downloads the published tarball, reads it statically with 1100+ rules (install-script execution, obfuscation, leaked secrets), runs it in a network-segmented sandbox to capture what it contacts and sends, reviews the source with AI, and diffs it against the prior version. See npm package security.
How do you scan a PyPI package?
The same pipeline as npm: a static read of the sdist or wheel including setup.py install-time code, a sandbox run, an AI review, and a version diff. Install-time code that reaches the network or reads credentials is flagged with evidence. See PyPI package security.
What is version diffing and why does it matter?
Version diffing compares a new release against the one it replaces and reports the security-relevant delta: a new exfiltration host, an added dangerous permission, fresh obfuscation, a weakened content security policy, or new remote code. It is how an extension or package that was clean for months but poisoned in an update gets caught.
Can an extension steal my cookies or session?
Yes. An extension with cookie or broad host access can read session cookies and authorization headers and send them to a server. Extuno follows cookie and auth data to network sinks, and the sandbox records the actual request and payload, so a theft flow is shown with evidence rather than a bare permission warning.
What is typosquatting?
Typosquatting is publishing a malicious package under a name close to a popular one (a swapped letter, an added hyphen, a scope change) so a typo installs it. Extuno flags name similarity to well-known packages and scans the package itself for install-time and runtime malice.
What is dependency confusion?
Dependency confusion tricks a build into pulling a public package instead of an intended internal one with the same name. Extuno scans the resolved package for install-script execution, network calls, and secret access, and version-diffs it. Pin and scope internal names, and gate installs with the CI check.
What is slopsquatting?
Slopsquatting is registering package names that AI coding tools tend to hallucinate, so a suggested but nonexistent import resolves to an attacker's package. Treat every new dependency as untrusted: Extuno scans it for install-time and runtime behavior before it ships, and the CI gate blocks a malicious one.
Do you scan VS Code extensions?
Yes. A VS Code extension is analyzed statically and in the sandbox, because it runs with the developer's privileges and can execute commands and reach the network. JetBrains and Eclipse plugins are covered as well. See IDE extension security.
How is Extuno different from an online file-reputation scanner?
A reputation lookup tells you whether a file was seen before; it does not read what a new or updated extension actually does. Extuno reads the code, runs it in a sandbox, and diffs versions, so a brand-new malicious update with no prior reputation is still caught, with evidence.
How is Extuno different from a vulnerability database lookup?
A vulnerability database lists known-vulnerable versions of known libraries. It does not catch a freshly published malicious package or a poisoned update that has no advisory yet. Extuno analyzes the artifact directly and version-diffs it, so novel supply-chain malice is flagged before any database entry exists.
How is Extuno different from a dependency (SCA) tool?
Dependency scanners match your libraries against known-vulnerable versions. Extuno adds behavioral sandbox analysis, install-time code review, leaked-secret detection, and version diffing, so it catches malicious and poisoned packages, not only vulnerable ones.
How is Extuno different from a secret-only scanner?
Secret scanners find leaked keys. Extuno includes 1000+ anchored secret detectors and adds malware, permission, obfuscation, and behavioral analysis over both source and runtime traffic, with a CI gate. Secret detection is one layer, not the whole product.