context safety score
A score of 31/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
cloaking
Page loads content in transparent or zero-size iframe overlay
malicious redirect
Multiple forum section links use onclick handlers that forcibly open http://www.88p2p.com in a new browser window regardless of the linked section. The actual href targets a forum section but onclick overrides navigation to an external adult/commercial site. This is a deceptive redirect pattern that hijacks user clicks. (location: page.html:222,236,250,264,278,292,306,320,334,348,362,376,396,410,424,438,452,466,480,494,508,522,536,550,564,578,592)
hidden content
A web analytics/tracking widget is loaded inside a display:none div. The script loads from //waust.at/c.js with a tracking identifier 'ue2lukn121'. This tracker runs silently without user awareness or consent, collecting visitor data covertly. (location: page.html:639-642)
social engineering
Site announcement redirects users experiencing login issues to alternative domains 5277.cc and 5299.tv. This is a common technique used by adult/grey-market forums to migrate users to mirror or backup domains, potentially harvesting credentials on those alternate sites where security posture is unknown. (location: page.html:146)
credential harvesting
Login form posts credentials to member.php with action=login. The form includes social login buttons for Google, Facebook, and Line via a local plugin (plugin.php?id=social_login). Third-party OAuth flows routed through the site's own plugin infrastructure could intercept OAuth tokens or credentials rather than passing them directly to the identity providers. (location: page.html:56,91-93)
hidden content
REPORTURL JavaScript variable is set to a Base64-encoded value 'aHR0cHM6Ly81Mjc4LmNjLw==' which decodes to 'https://5278.cc/'. While this particular value is benign, using Base64 encoding for URLs in JS config is an obfuscation technique that can obscure malicious redirect targets from static scanners. (location: page.html:15)
malicious redirect
An iframe is embedded loading content from https://player.hboav.com/guga/header_banner.php and https://player.hboav.com/guga/mid_index.php — an external third-party domain serving dynamic banner/ad content inside iframes with no sandbox attribute. This allows the third-party to deliver arbitrary content including drive-by downloads or redirects. (location: page.html:108,390)
malicious redirect
External ad script loaded from https://ad.sitemaji.com/ysm_5278.js with no integrity (SRI) check. Third-party ad scripts have full DOM access and can redirect users, inject phishing overlays, or exfiltrate data. Additional commented-out ad networks (kwntistyuogo.com, realsrv.com, exosrv.com, jads.co) indicate a history of rotating ad providers, some of which are associated with malvertising. (location: page.html:667,184,181,200,192)
social engineering
The 'magnet fish' sharing section (魚訊分享區) with description '自由魚訊個人工作室發佈好魚分享' and related 'fishing/tea' board (釣魚喝茶心得分享區) are euphemistic sections for soliciting paid sexual services, which constitutes social engineering toward illegal activity and potential financial scams targeting users. (location: page.html:552-559,564-573)
curl https://api.brin.sh/domain/5278.ccCommon questions teams ask before deciding whether to use this domain in agent workflows.
5278.cc currently scores 31/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.