context safety score
A score of 32/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
credential harvesting
credential form posts to an off-domain endpoint (may be legitimate SSO/OAuth)
malicious redirect
The scanned URL is pinayflix.me but the page fully operates as kayatan.org — all canonical links, og:url, form actions, logo, and navigation point to kayatan.org. The visited domain (pinayflix.me) silently redirects/proxies to a different brand identity, consistent with a redirect chain used to obscure the true destination and evade blocklists. (location: page.html: <link rel='canonical' href='https://kayatan.org/'>, metadata.json domain=pinayflix.me vs page content domain=kayatan.org)
brand impersonation
The page title and meta description reference 'KAYATAN- Pinayflix' and describe itself as 'new pinayflix', co-opting the well-known 'Pinayflix' brand name to attract traffic intended for that brand. The domain pinayflix.me further exploits the Pinayflix brand directly in the domain name. (location: page.html line 220-221: <title>KAYATAN- Pinayflix...</title>, <meta name='description' content='KAYATAN.org- is new pinayflix...'>)
credential harvesting
The page embeds three credential-collecting forms (registration, login, password reset) inside a hidden modal. These forms collect username, email, and password fields. The modal is hidden from normal view (class='modal fade', aria-hidden='true') and only displayed on user interaction, reducing visibility during automated scanning. Six credential form inputs confirmed by pre-scan context. (location: page.html lines 598-680: #wpst-user-modal with wpst_registration_form, wpst_login_form, wpst_reset_password_form)
malicious redirect
A dynamically-injected third-party script is loaded from scratchyhook.com — a domain with no apparent legitimate affiliation. The script is injected programmatically using DOM manipulation (createElement/insertBefore) with a heavily obfuscated path, and uses referrerPolicy='no-referrer-when-downgrade' to hide referrer information. This pattern is characteristic of malvertising loaders and drive-by redirect chains. (location: page.html lines 570-580: s.src = '//scratchyhook.com/cqDf9S6.b/2M5/l/SwWhQP9hNMjeANy/MBzXU-yQNUSw0V2rM/DNIpzcNQTQIb2_')
malicious redirect
A second suspicious third-party script is loaded from raffleprotectionbow.com with a hashed filename path. This domain name is unrelated to any known legitimate ad or analytics network and follows patterns used by malvertising networks to rotate domains and evade detection. (location: page.html line 581: <script src='//raffleprotectionbow.com/ca/42/a6/ca42a6f519453049348dd57b7291eeb9.js'>)
hidden content
A hidden 1x1 pixel iframe is injected via inline JavaScript (Cloudflare challenge script pattern), positioned absolutely at top:0, left:0 with visibility:hidden. While this specific pattern is associated with Cloudflare bot protection, the same technique is widely used for hidden content delivery and tracking. The iframe dynamically injects further scripts including from '/cdn-cgi/challenge-platform/scripts/jsd/main.js'. (location: page.html lines 710: inline script at end of body creating hidden iframe with height=1, width=1, visibility=hidden)
social engineering
Navigation links direct users to a network of affiliated adult content sites (kantotflix.tv, kantotplus.com, rapbeh.cx, pinayum.cx, lootedpinay.com). These off-domain links drive traffic to a ring of related sites, and the use of the 'Pinay scandal' category framing exploits non-consensual content themes to retain engagement — a common social engineering tactic on exploit/traffic-farming sites. (location: page.html lines 311-316: navigation menu items linking to kantotflix.tv, kantotplus.com, rapbeh.cx, pinayum.cx, lootedpinay.com)
credential harvesting
Four of the six credential forms post to off-domain or cross-context endpoints. The login and registration forms post to https://kayatan.org/ while the scanned domain is pinayflix.me, meaning credentials entered on pinayflix.me are submitted to kayatan.org — a cross-domain credential submission that could facilitate harvesting by the operator of either domain. (location: page.html lines 608, 634, 657: form action='https://kayatan.org/' for registration, login, and password reset forms)
curl https://api.brin.sh/domain/pinayflix.meCommon questions teams ask before deciding whether to use this domain in agent workflows.
pinayflix.me currently scores 32/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.