context safety score
A score of 31/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
cloaking
Page conditionally redirects based on referrer or user-agent
cloaking
Page loads content in transparent or zero-size iframe overlay
js obfuscation
JavaScript uses Function constructor for runtime code generation
malicious redirect
Geo-targeted forced redirects via window.force_url send users from Ukraine (ua), South Korea (kr), and France (fr) to obfuscated tracking URLs at directsle.com with long encrypted/opaque katds_ep parameters. These redirects bypass the visible page and silently route users to third-party destinations without consent. (location: page.html lines 127-139, page-text.txt lines 72-84)
malicious redirect
Canonical tag points to txxx.com while the page is served from txxx.me (domain age 336 days, WHOIS privacy redacted). The .me TLD variant is a shadow domain of the canonical .com brand, used to serve the same ad infrastructure under a different domain that may have different trust ratings or blocklist status. (location: page.html line 8, metadata.json)
obfuscated code
Inline script block loads an externally hosted obfuscated JavaScript file explicitly named in the config as 'adver':'7.10.13.hommy.obfuscated.js' and the loaded script filename is 'exort7.10.13.415a150d8ca331c798f49c864e02c543.js' β a hash-suffixed obfuscated bundle from js.txxx.tube. The config variable chAm2MphS9 uses a randomized key name and the file is described internally as obfuscated. (location: page.html lines 57-60)
obfuscated code
A large inline script block (window["_5qiui0d9ri"]) uses a random-looking window property key and contains minified/obfuscated code that dynamically creates and injects script tags for popunder/push ad infrastructure from js.txxx.tube. The code patches Element.prototype.append and initializes pop ad systems non-transparently. (location: page.html lines 62-64)
hidden content
Yandex Metrika tracking pixels are loaded via noscript img tags with style 'position:absolute; left:-9999px;' β positioned entirely off-screen to invisibly track users even when JavaScript is disabled. Two separate Yandex Metrika IDs (49315045, 49318849) are tracked this way. (location: page.html lines 37-38)
hidden content
A large base64-encoded SVG icon blob is embedded inline in a JavaScript comment within window._hl tab-link configuration. The base64 data is over 2000 characters and is injected as a data URI, obscuring its visual content from static analysis. (location: page.html line 159, page-text.txt line 103)
social engineering
Time-limited button text manipulation: until 2026/03/21 the unlock button label is overridden from 'UNLOCK FULL' to 'AI Porn Video' and the destination changed to cmonbae.com. This exploits AI-hype framing to manipulate users into clicking affiliate links under a deceptive label. (location: page.html lines 94-99, page-text.txt lines 39-44)
social engineering
Tab-link titles use emotionally manipulative and urgency-driving labels such as 'π₯β1 PORN GENERATOR', 'π₯AI porn', and 'π©·TikTok Porn' β brand impersonating TikTok and using AI hype to drive clicks to affiliate/external adult sites (nudeai.fun, candyai.gg, fontheader.com). (location: page.html lines 160-213, page-text.txt lines 105-158)
brand impersonation
Tab-link title 'π©·TikTok Porn' (href: as.fontheader.com) impersonates the TikTok brand to lure users into clicking an affiliate redirect link, falsely implying association with TikTok's platform. (location: page.html line 198, page-text.txt line 143)
malicious redirect
Push notification subscription interstitial directLink is set to 'https://online-hd.amazingcontent.site/?tag_id=93577&cl=3&click=1' β an opaque third-party content site used as the fallback destination when users interact with push subscription dialogs. Domain 'amazingcontent.site' is a low-trust generic domain used in ad-tech abuse. (location: page.html lines 62 (window["_5qiui0d9ri"] config, subInterstitialSettings.directLink))
hidden content
The delegate-ch meta header delegates client hint headers (sec-ch-ua, platform, architecture, model, full-version-list, mobile) to tsyndicate.com β a third-party ad syndication domain. This silently exposes detailed browser and device fingerprinting data to a third party without visible user disclosure. (location: page.html line 45)
social engineering
Age verification bypass: localStorage key '_agv' is set to 1 (age-verified) when traffic arrives via promo/source/utm_content parameters from non-Google referrers, silently bypassing the age gate for paid/affiliate traffic without actual age verification. (location: page.html lines 272-279, page-text.txt lines 217-223)
malicious redirect
Popunder/tabunder ad system configured with force_url override for geo-targeted users, combining geo-check (country_code) with UTM tracking parameters (subid, utm1-4) and passing them to directsle.com redirect URLs β enabling invisible background tab navigation to third-party sites on any user interaction with the page. (location: page.html lines 685-693, page-text.txt lines 630-638)
curl https://api.brin.sh/domain/txxx.meCommon questions teams ask before deciding whether to use this domain in agent workflows.
txxx.me currently scores 31/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80β100 is safe, 50β79 is caution, 20β49 is suspicious, and 0β19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes β one GET request is all it takes. query the api, browse the registry, or download the full dataset.