npm supply chain security
Extuno scans npm packages for supply-chain risk - diffing every version, running install hooks in a sandbox, and flagging typosquats, dependency confusion, and malicious updates with evidence.
Why is npm a frequent target?
npm's scale, deeply nested dependency trees, and install scripts make it attractive to attackers. A single compromised transitive dependency can affect projects that never knowingly installed it, and a postinstall hook runs code before the package is ever imported.
What npm attacks does Extuno catch?
Typosquatting and dependency confusion, malicious preinstall and postinstall hooks, credential and token exfiltration, crypto wallet drainers, and the poisoned-update pattern where a trusted package turns malicious in a later release.
How does Extuno analyze an npm package?
It resolves and unpacks the version, reads it with the static rule set, runs the install lifecycle in a sandbox to see what the hooks do, and diffs against the prior version so a new outbound channel or install-time payload is flagged.