context safety score
A score of 43/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
cloaking
Page conditionally redirects based on referrer or user-agent
js obfuscation
JavaScript uses Function constructor for runtime code generation
malicious redirect
Popunder/tabunder ad system configured to open new tabs under the current window without user consent, using 'tabunder' type with frequency reset mechanisms and capping bypass logic. Third-party ad networks (tc publisher, ExoClick, TDS chains) are used to deliver destination URLs that are not disclosed to the user before opening. (location: page.html:line 249 (popunder_type: 'tabunder'), lines 237-309 (popOptions.config))
malicious redirect
TDS (Traffic Distribution System) redirect chain via 'bts.red12flyw2.site' and 'ts.red12flyw2.site' embedded in Base64-encoded ad configuration. TDS systems are routinely used to route users through malicious redirect chains depending on geo, device, and campaign parameters, bypassing blocklists. (location: page.html:line 29 (fqp3VeiWI Base64 blob decoded references bts.red12flyw2.site and ts.red12flyw2.site))
malicious redirect
Push notification subscription interstitial configured with a directLink to 'https://online-hd.amazingcontent.site/?tag_id=93577&cl=3&click=1' — a suspicious third-party domain used as a fallback landing page when users decline push notifications, silently redirecting them. (location: page.html:line 31 (subInterstitialSettings directLink: online-hd.amazingcontent.site))
obfuscated code
Large Base64-encoded JSON blob stored in variable 'chAm2MihS' and 'fqp3VeiWI' containing obfuscated ad network configuration including hardlink URLs, VAST ad server endpoints (vsstvstsa.com), TDS domains, and spot/zone IDs. This obfuscation hides the true ad delivery destinations from casual inspection. (location: page.html:lines 28-29 (chAm2MihS and fqp3VeiWI Base64 variables))
obfuscated code
Obfuscated JavaScript bundle loaded from '/loystoness/pineapple7.10.13.c6869e00279afd2abde2d080bac7bb98.js' — a non-standard path with a content-hash filename indicative of obfuscated/minified ad management code (ACtMan). The variable name 'ACtMan' and the loading path are deliberate obfuscation to avoid detection. (location: page.html:line 30 (script src=/loystoness/pineapple7.10.13...))
hidden content
Variable 'window._hidden_channels' set to ['8007'] — undisclosed channel IDs passed silently to the ad system, not visible to the user or in any UI element, used to configure hidden ad placements or content streams. (location: page.html:line 35 (window._hidden_channels = ['8007']))
hidden content
A high-z-index invisible overlay element ('.__bai-overlay', z-index: 99999) is configured as a popunder click-bind target. This invisible layer sits on top of page content to intercept user clicks and trigger popunder ads without visible indication. (location: page.html:line 184 (bindSel includes .__bai-overlay), lines 1087-1089 (z-index: 99999 style))
social engineering
'UNLOCK PREMIUM' button with lock icon image from xmilf.com injected into the video player interface, directing users to affiliate/CPA links based on content keywords (e.g. jav, milf, bdsm, lesbian). The button text is temporarily changed to 'FULL VIDEO HERE' using a time-gated condition, a classic deceptive UX dark pattern. (location: page.html:lines 1092-1111 (window._plBtn, _plBtnText, _plBtnImg))
social engineering
Tab-link advertisements labeled '🔥№1 PORN GENERATOR' (nudeai.fun) and '🔥AI porn' (candyai.gg) are injected as navigation links using the window._hl array. These use urgency/emoji-laden labels to lure clicks to external affiliate sites, with geo-targeting for high-value countries. (location: page.html:lines 1010-1032 (hl1 tablink injection, nudeai.fun and candyai.gg))
social engineering
Second tab-link 'LIVE SEX' with animated green blinking dot (green-blink-dot CSS animation) injected via window.hlink_2, designed to create false presence/urgency indicators mimicking live activity to manipulate user clicks toward 'rabbitscams.sex' and 'go.rmhfrtnd.com' affiliate destinations. (location: page.html:lines 1056-1079 (hlink_2, rabbitscams.sex, go.rmhfrtnd.com))
malicious redirect
Age verification bypass logic: localStorage key '_agv' is silently set to 1 when referrer is not Google and campaign/source UTM params are present, skipping age gates for trafficked users. This circumvents legal age-verification requirements while presenting them to organic users. (location: page.html:lines 87-94 (localStorage.setItem '_agv'))
hidden content
Yandex Metrika tracker (mc.yandex.ru) loaded alongside Google Analytics, sending user behavioral data including cookie values, campaign parameters, and page type to a Russian analytics provider. The 'webvisor' option is disabled but clickmap and trackLinks are active, enabling covert user tracking. (location: page.html:lines 20-22 (ym init with trackLinks:true))
hidden content
Client Hints delegation via 'delegate-ch' meta tag sends detailed browser fingerprinting data (ua, bitness, arch, model, platform, full version list, mobile status) to tsyndicate.com — a third-party ad/tracking domain — without user awareness or consent disclosure. (location: page.html:line 34 (meta http-equiv=delegate-ch, tsyndicate.com))
malicious redirect
Offerwall redirect configured to 'https://engine.flixtrial.com/?653155046' under the label 'Gamma Entertainment' — an affiliate subscription trial funnel that may lead to unwanted recurring charges when users interact with the /download page flow. (location: page.html:lines 1081-1085 (window._offerwall, flixtrial.com))
curl https://api.brin.sh/domain/vxxx.comCommon questions teams ask before deciding whether to use this domain in agent workflows.
vxxx.com currently scores 43/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.