Security terms, defined plainly.
The supply-chain and detection vocabulary Extuno uses - one idea per entry, in plain language.
Software supply-chain attack
An attack that compromises software indirectly by tampering with a trusted component, dependency, build system, or distribution channel rather than the target directly. Malicious code reaches victims through a vendor or package they already trust, amplifying reach across every downstream consumer.
Dependency confusion (substitution) attack
A package-manager trick where an attacker publishes a malicious package on a public registry using the same name as a victim's private internal package, so the build resolver pulls the attacker's higher-version public copy instead of the intended private one.
Package name typosquatting
Registering package or domain names that closely resemble popular ones, relying on a developer's spelling mistake or misremembered name to install the malicious look-alike. Common tactics include character swaps, omissions, and added words like 'js' or 'python'.
Slopsquatting (AI hallucination squatting)
Registering package names that AI coding assistants commonly hallucinate but that do not actually exist, so when a developer pastes generated code the resolver installs the attacker's pre-registered malicious package. The name is plausible yet fabricated rather than a typo.
Install-hook remote code execution
Abuse of lifecycle scripts such as npm preinstall and postinstall or a Python setup.py, which run automatically during installation. Attackers place code in these hooks so a package executes on the victim's machine before it is ever imported.
Update-channel compromise
Pushing malicious code to existing users by hijacking a legitimate product's update or release mechanism, for example through a stolen publisher account or signing key. Trusted installations silently receive the poisoned version, the central threat Extuno catches through version diffing.
Transitive (indirect) dependency
A package your project does not require directly but pulls in indirectly through one of its dependencies. Deep, often invisible dependency trees mean a single compromised transitive package can affect projects that never knowingly installed it.
Dependency lockfile
A generated manifest such as package-lock.json or poetry.lock that records the exact resolved versions and integrity hashes of every dependency. It pins the dependency tree so installs are reproducible and unexpected or substituted versions become detectable.
Software Bill of Materials
A machine-readable inventory listing every component, library, and version contained in a piece of software, often in CycloneDX or SPDX format. It lets defenders quickly answer whether a vulnerable or malicious dependency is present.
Build provenance (SLSA attestation)
Verifiable metadata describing how and where a software artifact was built, including the source commit, builder identity, and build steps. Frameworks like SLSA use signed provenance attestations so consumers can confirm an artifact came from the expected pipeline.
Sigstore artifact signing and Cosign
An open-source toolset for signing and verifying software artifacts. Cosign produces the signatures, Fulcio issues short-lived certificates tied to an OIDC identity, and Rekor records every signing event in a tamper-evident transparency log, enabling keyless verification.
Repository hijacking (repojacking)
A takeover of a source repository's namespace after the original owner renames or deletes their account, letting an attacker re-register the abandoned name. Dependencies and install scripts still pointing at that URL then fetch attacker-controlled code.
Manifest V3
The current Chrome and Firefox extension platform version. It replaces persistent background pages with service workers, swaps blocking webRequest for declarativeNetRequest, and forbids remotely hosted code to reduce abuse, though malicious extensions still find workarounds.
Extension content script
JavaScript an extension injects into web pages to read or modify their DOM. Running in the page context, it is a common vector for stealing form data, cookies, and credentials or for injecting phishing overlays onto trusted sites.
Background service worker
The event-driven background script that holds the central logic of an MV3 extension. It handles events, network requests, and messaging but is terminated when idle, so malware uses alarms or events to wake and beacon periodically.
Host permissions
Manifest entries granting an extension access to specific sites or URL patterns, controlling where its scripts run and which requests it can read or modify. Broad grants greatly expand the data an extension can reach and exfiltrate.
All-URLs host permission
A host-permission match pattern granting an extension access to every site the user visits over http and https. It is one of the highest-risk grants because it lets an extension read and alter all browsing activity.
Declarative Net Request API
The MV3 API for blocking or modifying network requests through declarative rules the browser evaluates itself, replacing blocking webRequest. Abuse includes stripping security headers, redirecting traffic, or removing Content-Security-Policy to enable injection.
Web-accessible resources
A manifest list of extension files that web pages or other extensions are allowed to load. Over-broad exposure enables page fingerprinting and clickjacking, and it is required for any declarativeNetRequest redirect to an extension-packaged page.
Content-Security-Policy
An HTTP header or manifest directive that restricts which script, style, and connection sources a page may load, limiting cross-site scripting and injection. Malicious extensions often strip or weaken it to allow remote or inline code.
Remotely hosted code
Executable code fetched from a server at runtime rather than shipped inside the package under review. MV3 bans it because it lets an extension pass store review clean, then download and run malicious logic later, evading static analysis.
Session and cookie theft
Stealing a browser's authentication cookies or session tokens so an attacker can replay them and access an account without the password or second factor. Malicious extensions read them via the cookies API or response headers.
Cyberhaven extension compromise (2024)
A December 2024 supply-chain incident where an OAuth consent phishing email compromised a developer's Chrome Web Store access, pushing a trojanized extension update that exfiltrated cookies and tokens. Over thirty extensions and millions of users were affected.
OAuth consent phishing
Tricking a victim into approving a malicious OAuth application's access request through a genuine provider authorization screen. Because consent grants tokens rather than authenticating, it can bypass multi-factor protections, as seen in the Cyberhaven compromise.
Indicator of compromise
An observable artifact that signals malicious activity, such as a C2 domain, IP address, file hash, URL, or registry key. Defenders match IOCs across scans and threat feeds to detect and correlate threats.
Command and control
The infrastructure malware contacts to receive instructions and send stolen data. Identifying C2 domains, IP addresses, or messaging endpoints such as Telegram bots or Discord webhooks is central to confirming that an extension or package is malicious.
Data exfiltration
The unauthorized transfer of data out of a system to an attacker-controlled destination, such as cookies, credentials, or keystrokes sent to a remote server. Detecting the source, the destination endpoint, and the payload confirms theft.
C2 beaconing
Repeated, often timed network callbacks malware makes to its command-and-control server to check in or await commands. Regular intervals with low timing variance are a strong behavioral signal, even when the contacted endpoint looks innocuous.
Code obfuscation
Deliberately transforming code to make it hard to read or analyze, using techniques like minification, string encoding, packers, or control-flow flattening. Attackers obfuscate to hide malicious logic and slip past human reviewers and static scanners.
Static analysis
Examining code, manifests, and resources without executing them to find dangerous patterns, secrets, permissions, and dataflows. It scales well and is safe to run, but obfuscation and remotely hosted code can hide behavior from it.
Dynamic analysis (sandboxing)
Executing a sample in an isolated, instrumented environment to observe real behavior such as network calls, file access, and API usage. It catches runtime-only and obfuscated activity that static analysis misses, but must run safely contained.
Taint (dataflow) analysis
A dataflow technique that tracks untrusted or sensitive values from a source, such as cookies or a password field, to a dangerous sink, such as a network request. A source reaching a sink reveals likely credential theft or exfiltration.
Cross-version diffing
Comparing two releases of the same extension or package to surface exactly what changed, especially newly added permissions, endpoints, or code. It is the core method for catching a benign project that was poisoned through an update.
MITRE ATT&CK framework
A curated, openly maintained knowledge base of real-world adversary tactics and techniques, each with a unique identifier. Mapping findings to ATT&CK techniques gives analysts a shared vocabulary for describing exactly how a threat operates.
YARA pattern-matching rules
A pattern-matching tool and rule language for identifying and classifying malware by textual or binary signatures. Analysts write YARA rules to flag files that contain known malicious strings, byte sequences, or structural traits.
Static Analysis Results Interchange Format
An OASIS-standard JSON format for representing the output of static analysis and security tools. Standardizing findings lets results flow into code review, CI gates, and dashboards across many different tools and platforms without custom parsing.
Common Vulnerabilities and Exposures
A public catalog that assigns a unique identifier to each disclosed software vulnerability, giving the industry a common reference. A CVE entry describes the flaw and affected versions so defenders can track and remediate it.
Common Weakness Enumeration
A community-maintained taxonomy of software weakness types, such as improper input validation or hard-coded credentials, each with a unique identifier. It classifies the underlying class of flaw, whereas a CVE names a specific real instance.
Zero-day vulnerability
A vulnerability that is exploited or disclosed before the vendor has a patch, leaving defenders no lead time to fix it. Because no signature or fix exists yet, detection relies on behavioral and anomaly indicators.
Node Package Manager registry
The default package registry and dependency manager for JavaScript and Node.js, hosting millions of packages. Its scale, nested dependencies, and install scripts make it a frequent target for typosquatting, dependency confusion, and malicious updates.
Python Package Index
The official registry for Python packages, installed with pip. Packages ship as wheels or source distributions, and a malicious setup.py can run code at install time, making it a recurring software supply-chain target.
Open VSX Registry
A vendor-neutral, open-source registry for editor extensions built on the VS Code model, run by the Eclipse Foundation. It serves VS Code forks and Theia-based editors that cannot use Microsoft's marketplace, and is itself a supply-chain surface.
Chrome extension package (.crx)
The packaging format for Chromium browser extensions, essentially a ZIP archive with a signature header. Extuno unpacks CRX files to inspect the manifest, scripts, and resources of a Chrome or Chromium-based extension.
Semantic Versioning
A versioning convention of MAJOR.MINOR.PATCH where each segment signals the kind of change. Dependency ranges like ^1.2.0 rely on it, but loose ranges can silently pull a newer, potentially malicious release.
Crypto wallet drainer
Malicious code that empties a victim's cryptocurrency wallet, typically by tricking them into signing a transaction or token approval that transfers assets to the attacker. Modern drainers combine off-chain signature requests with approval abuse.
Recovery seed phrase
A list of usually twelve or twenty-four words that encodes a cryptocurrency wallet's master private key and can restore full access to its funds. Malware that captures a seed phrase grants the attacker complete, irreversible control.
Clipboard hijacker (clipper)
Malware that monitors the clipboard and, when it sees a cryptocurrency address, swaps it for the attacker's address, so a copied and pasted payment is silently redirected. The substitution is easy to miss before confirming a transaction.
Cryptojacking (unauthorized mining)
The unauthorized use of a victim's device to mine cryptocurrency, draining CPU and power without consent. In extensions and packages it often appears as bundled WebAssembly miners or scripts that contact known mining pools.
Secret and credential leak
An exposed credential such as an API key, token, private key, or database password left in source, config, or shipped build artifacts. Leaked secrets let attackers access the associated service, so scanners surface the full value for rotation.
Entropy-based secret detection
A technique that flags high-randomness strings, measured by Shannon entropy, as likely secrets such as keys or tokens. High entropy catches credentials with no fixed prefix, though it must be tuned to avoid flagging hashes and identifiers.