Capabilities

Detection you can see.

Every extension and package gets the full battery - vulnerability and secret-leak testing, static and dynamic analysis, and AI code analysis - in one evidence format that names the file, the change, why it is dangerous, and what to do next.

Supply chain - live inspectionInspecting
event-stream 3.3.6
npm package
3.3.5->3.3.6
Static
Dynamic
AI
Analyzing update
Version-diff detection

The update-channel attack, caught.

Extuno compares each update against the version before it and flags band escalation - the moment a clean release turns malicious.

  • + New exfiltration channels introduced on update
  • + Added permissions and weakened content policy
  • + New remote-code paths that evade review
Supply-chain diff

Update lineage

v3.0.9
v3.1.0
v3.1.1
v3.1.2
Sandbox run #48212 critical
cookie exfilwallet readmic request
Dynamic sandbox

Run it before it runs on you.

Extuno executes the real extension or package in an ephemeral, network-segmented micro-VM and records exactly what it does.

  • + Network endpoints and outbound payloads
  • + Credential, session, and wallet theft
  • + Crypto-miners and covert command traffic
Static analysis

1100+ rules, one verdict.

Capability abuse, remote-code, credential theft, evasion, surveillance, covert command traffic, and obfuscation - scored into a single, defensible verdict.

  • + Severity-banded: clean, review, critical
  • + Every rule maps to a concrete finding
  • + Verdict you can take to a change board
Capability abuseclean
Remote code (MV3)critical
Credential theftcritical
Evasionreview
Obfuscationreview
Vulnerability testing

Known-vulnerable code, surfaced.

Beyond malicious intent, Extuno tests every extension and package for vulnerable code paths, unsafe APIs, and risky dependencies - so a benign-but-exploitable release does not slip through.

  • + Unsafe API and injection-prone patterns
  • + Vulnerable and outdated dependencies
  • + Every finding mapped to its location and fix
Vulnerability report3 issues
Prototype pollutioncritical
unsafe merge in util.js
Outdated dependencyreview
axios 0.21.1 - known CVEs
Unsafe innerHTMLreview
DOM sink without sanitize
AI analysis

The full source, read and correlated.

An analysis layer reads the complete source of every version and ties the static and dynamic results together - clustering related findings, flagging anomalies against a package's own history, and matching known-malware behavior.

  • + Reads the full source code of every version
  • + Anomaly flags against prior versions
  • + Known-malware similarity and campaign clustering
  • + Every flag links back to its evidence
Correlationanomaly
Static + dynamic agreecritical
both layers flag exfiltration
Behavior unlike prior versionscritical
new outbound host on this release
Similar to known campaignreview
matches a clustered family
Pull request gate
gate failed - 1 secret
Secret-leak testing

A pass/fail check on every pull request.

1000+ anchored secret detectors test extensions, packages, and your own repos for leaked keys, tokens, and credentials - with standard scan output, git-history scanning, and baseline support.

  • + Standard SARIF output for code scanning
  • + Git-history and baseline support
  • + GitHub and GitLab pipelines
Continuous monitoring

Set it once. Re-checked on every release.

Add extensions and packages to a watchlist and route findings to the channels your team already uses.

Monitoring

Watchlist

Track any extension or package across all twelve ecosystems.

Monitoring

Alert lifecycle

Open, acknowledge, and resolve - with a full audit trail.

Monitoring

Delivery

SIEM, Slack, Teams, PagerDuty, email, and signed webhooks.