The pipeline

From submission to evidence.

Every extension and package follows the same seven-stage path. Static, dynamic, and AI analysis feed a single verdict - with the evidence attached.

Discover
01
Acquire
02
Static
03
Dynamic
04
Diff
05
Score
06
Report
07
Stage by stage

Watch each step work.

Numbered because it is a real sequence - each stage feeds the next.

Stage 01

Discover

Extuno finds the extension or package and every published version across its ecosystem, so nothing ships without being seen.

Stage 02

Acquire

It pulls the exact artifact for the version under review, untouched, into an isolated workspace.

Stage 03

Static analysis

1100+ rules read the code without running it - capability abuse, remote-code, credential theft, evasion, and obfuscation.

remote-code
exfiltration
obfuscation
Stage 04

Dynamic sandbox

The real artifact runs live in an ephemeral, network-segmented micro-VM that records every endpoint, payload, and API call.

Stage 05

Diff

Extuno compares the version against the one before it to flag exactly what this update changed - and whether any of it is dangerous.

+ malicious
Stage 06

Score

Static, dynamic, and AI signals combine into one severity verdict: clean, review, or critical.

CRITICAL
Stage 07

Report

The finding ships with evidence - file, line, payload, why it is dangerous, and the recommended action - to your channels.

Under the hood

Built for engineers who want the receipts.

No black box. Every stage emits a structured artifact you can inspect, diff, and pipe into your own tooling - SARIF, JSON, and signed webhooks. Here is what the engine actually runs.

210
Capability abuse
120
MV3 remote code
180
Credential theft
140
Evasion
90
Surveillance
150
Covert C2
110
Obfuscation
1000+
Secret detectors
Dynamic sandbox

An ephemeral micro-VM per run.

Each artifact executes in its own throwaway, network-segmented VM. Nothing leaves except through a recording proxy, and the VM is destroyed the moment the run completes.

  • + Full syscall, DNS, and HTTP(S) capture with exact payloads
  • + Filesystem, clipboard, and credential-store diff plus screenshots
  • + Deterministic replay from the captured trace
  • + No egress to the open internet during analysis
extuno scan - SARIFexit 1
$ extuno scan npm:[email protected] \\
    --diff 3.3.5 --sarif

 level    rule             location
 -------  ---------------  ----------------------
 error    exfil.cookie     flatmap-stream:42
 error    net.new-host     cdn-metrics.io
 warning  perm.escalation  package.json

 verdict: critical

The result: a verdict you can act on.

Clean, review, or critical - every finding traceable to the change that caused it.

cleanreviewcritical