Catch the update that turns an extension malicious
A trusted extension or package can ship clean for months, then push a poisoned update straight to installed users. Version-diff detection compares each new release against the previous one and raises an alert the moment behavior escalates.
What does version-diff detection actually flag?
Version-diff detection compares the new release of an extension or package against the version it replaces, then reports what changed in security terms rather than line counts. The signals that escalate a verdict include:
- New exfiltration host - the code now sends data to a network endpoint it never contacted before.
- New dangerous permission - an added request for cookies, scripting, host access, or process execution.
- New obfuscation - source that was readable last version is now packed or encoded.
- Weakened CSP - a content security policy relaxed to allow remote script.
- New remote code - a fresh path that downloads and runs code after install.
Each change is tied to a banded verdict so a benign-to-dangerous jump stands out.
Why does update-channel compromise matter?
Most scanners check an extension or package once, at install time, and never look again. But the dangerous moment is often later: an attacker buys an established project, steals a maintainer token, or pushes a malicious release through the same channel users already trust. The update installs automatically, with the reputation of the original author behind it.
This is a supply-chain attack, and a point-in-time scan misses it entirely. Watching the diff between versions is the control that closes the gap. Extuno keeps a record of prior versions so every new release is measured against what the project used to do, not against nothing.
How is the diff computed?
When a new version is acquired, Extuno re-runs the full analysis stack and compares the result to the stored prior version. Static analysis reads the new code with 1100+ rules, including 1000+ secret and API-key detectors, to map permissions, network sinks, obfuscation, and dangerous behavior. Dynamic analysis runs the build in an isolated, network-segmented microVM and records the endpoints it contacts, the data it sends, and the API calls it makes.
The diff is the delta between those two profiles. A change that is present in the new version and absent in the old one - a new C2 host, an added permission, freshly packed code - is what raises the alert, so a routine bug-fix release stays quiet.
What does a band-escalation finding look like?
When an update crosses from a low-risk band to a dangerous one, Extuno emits a finding that names exactly what moved. Every finding carries evidence: the file, the line, why the change is dangerous, and the recommended action. AI code analysis adds an advisory explanation that correlates the new behavior against the previous version, so a reviewer sees the before-and-after in plain terms. The verdict itself stays driven by the deterministic rules, not the advisory layer. The result is a clear statement: this version added an exfiltration channel that the last version did not have, here is the proof.
Which ecosystems are covered?
Version-diff detection runs across all twelve supported ecosystems: Chrome, Firefox, VS Code, JetBrains, Eclipse, Discord client mods, npm, and PyPI. Whether the threat ships as a browser extension or a developer package, the same model applies - acquire the new version, re-analyze, diff against the prior release, alert on escalation.
You can run a diff on demand or set continuous monitoring to re-scan automatically when a tracked project publishes a new version. See pricing for the free tier and scan-credit packs.
{
"rule": "diff.escalation.new_exfil_host",
"severity": "critical",
"prev_version": "3.4.1",
"new_version": "3.4.2",
"band_change": "clean -> critical",
"evidence": {
"file": "background.js",
"line": 218,
"detail": "New POST to https://cdn-metrics.io/c absent in 3.4.1"
},
"why": "Update added an exfiltration channel not present in the prior version.",
"action": "Block the update and review 3.4.2 before allowing install."
}Frequently asked questions
How is version-diff detection different from a normal scan?
A normal scan judges one version in isolation. Version-diff compares a new release against the previous one and reports the security-relevant delta. That difference is what catches an extension or package that was clean before and turned dangerous through an update.
Will a routine bug-fix update trigger an alert?
No. The diff alerts on escalation, not on change in general. A finding fires when the new version adds a dangerous signal that the old version did not have, such as a new exfiltration host, an added permission, or new obfuscation. A version that only refactors or fixes bugs stays quiet.
Does it work for packages as well as browser extensions?
Yes. Version-diff detection runs across all twelve supported ecosystems, including npm, PyPI, WordPress, Composer, and Maven packages alongside Chrome, Firefox, VS Code, JetBrains, Eclipse, and Discord client mods. The same acquire, re-analyze, and diff model applies to every one.
What signals count as a benign-to-dangerous escalation?
A new network endpoint the code now sends data to, a newly requested dangerous permission, fresh obfuscation over previously readable code, a weakened content security policy, or a new path that loads and runs remote code. Any of these crossing from absent to present raises the diff alert.
Can I run version diffing automatically?
Yes. Continuous monitoring re-scans a tracked extension or package when it publishes a new version and runs the diff against the prior release automatically, so you do not have to check each update by hand.