Detection method

How version diffing catches poisoned updates

In short

Version diffing compares one release of an extension or package against the next and surfaces exactly what changed - new permissions, new endpoints, new code paths. It is how Extuno catches a benign project that was poisoned through its update channel.

Why diff versions instead of scanning once?

A one-time scan answers is this version bad today. It cannot catch the project that was clean when you adopted it and malicious three updates later. Diffing answers the question that actually matters for supply chain risk: what did this update change, and is any of it dangerous.

What does a version diff surface?

Band escalation across an update (clean to dangerous), newly added sensitive permissions or broadened host access, a new outbound or command-and-control endpoint, a weakened Content-Security-Policy, a new remote-code path, and new install-time behavior. Each delta carries the evidence behind it.

How does Extuno score a risky update?

Extuno reads each version statically and dynamically, computes the deltas, and raises an alert when the new version crosses from benign into dangerous. The score is transparent and explainable, and the headline signal is the band escalation an update introduces.

FAQ

Common questions

What is band escalation?
When the risk band of an extension or package rises from one version to the next - for example clean to dangerous - because the update added malicious or high-risk behavior. It is the core supply-chain alert.
Does diffing produce false positives on normal updates?
Benign updates add features, not exfiltration. Extuno's deltas are defined as new dangerous behavior present in the new version and absent in the old, so routine updates stay quiet.