{"total":824984,"limit":50,"offset":0,"data":[{"origin":"npm","identifier":"tests/unit/main/customer-context-evidence.test.js","score":0,"confidence":"low","verdict":"dangerous","scanned_at":"2026-04-07T09:05:23.654094Z","sub_scores":{"identity":0.0,"behavior":0.0,"content":0.0,"graph":30.0},"threats":[{"type":"scan_error","severity":"critical","detail":"registry fetch failed: package not found: tests/unit/main/customer-context-evidence.test.js"}],"pending_deep_scan":false},{"origin":"domain","identifier":"mailing.billiger.de","score":81,"confidence":"medium","verdict":"safe","scanned_at":"2026-04-07T08:56:19.169583Z","sub_scores":{"identity":90.0,"behavior":100.0,"content":100.0,"graph":30.0},"pending_deep_scan":false},{"origin":"domain","identifier":"402payment-test.com","score":52,"confidence":"medium","verdict":"caution","scanned_at":"2026-04-07T08:41:20.907291Z","sub_scores":{"identity":60.0,"behavior":100.0,"content":30.0,"graph":72.0},"threats":[{"type":"brand_impersonation","severity":"high","detail":"The site 402payment-test.com presents itself as an official Coinbase x402 protocol demo, heavily using Coinbase branding ('Coinbase x402', 'Coinbase Wallet' button, references to official Coinbase docs at docs.cdp.coinbase.com/x402/) and Schema.org Organization markup associating itself with 'https://x402.org' and Coinbase's official documentation. The domain is only 130 days old and uses a test-like subdomain pattern ('402payment-test.com') to appear legitimate while not being an official Coinbase property. This combination creates a convincing impersonation surface targeting AI agents and developers. (location: page.html: <title>, meta description, Coinbase Wallet button, Schema.org Organization JSON-LD, footer Official Docs link)"},{"type":"social_engineering","severity":"high","detail":"The site is explicitly designed to target autonomous AI agents, encouraging them to 'Enable AI agents to pay for resources with a single API call' and 'Trigger 402 Request'. The page is marketed as 'Agent Ready' and 'Designed for autonomous AI agents to negotiate and pay for resources.' This is a social engineering pattern targeting AI agent operators and the agents themselves to connect wallets and initiate payment flows on a third-party, non-official domain impersonating Coinbase's x402 protocol. (location: page.html: hero section, features section ('Agent Ready'), CTA button 'Trigger 402 Request')"},{"type":"credential_harvesting","severity":"medium","detail":"The site prompts users (and AI agents) to connect either a 'Coinbase Wallet' or 'Browser Wallet' via prominent buttons in the demo UI. On an unofficial 130-day-old domain impersonating Coinbase, wallet connection requests are a vector for harvesting wallet credentials, private keys, or initiating unauthorized transactions. No form fields are visible in static HTML, but the wallet connect flow is client-side JavaScript (X402Demo component loaded from chunked JS). (location: page.html: Live x402 Demo section, 'Coinbase Wallet' and 'Browser Wallet' buttons, X402Demo JS component (/_next/static/chunks/802d8cb5b36944e4.js, 3cc835f15c58c978.js, 1ebdb2cb7dfa4f9d.js))"},{"type":"phishing","severity":"high","detail":"The domain '402payment-test.com' is 130 days old and mimics the legitimate x402 protocol ecosystem (x402.org, Coinbase CDP). The site uses an official-looking UI, Coinbase branding, and links to real Coinbase documentation to establish false legitimacy. Users and AI agents directed to this site for 'testing' the x402 protocol may be deceived into connecting wallets or submitting payments to attacker-controlled infrastructure. (location: metadata.json: domain=402payment-test.com, domain_age_days=130; page.html: title, meta tags, Schema.org JSON-LD)"}],"pending_deep_scan":false},{"origin":"pr","identifier":"superagent-ai/brin-github","version":"5","score":46,"confidence":"medium","verdict":"suspicious","scanned_at":"2026-04-07T08:07:39.998778Z","sub_scores":{"identity":80.200005,"behavior":47.0,"content":19.0,"graph":30.0},"threats":[{"type":"security_sabotage","severity":"medium","detail":"Security tooling config modified: .gitignore"},{"type":"backdoor","severity":"low","detail":"The new /api/github/marketplace endpoint in src/index.ts skips signature verification entirely when env.marketplaceWebhookSecret is an empty string (the default fallback value from env.ts: `process.env.MARKETPLACE_WEBHOOK_SECRET ?? \"\"`). An empty string is falsy, so the HMAC check block is bypassed if the env var is not set. This means in misconfigured deployments, any caller can trigger marketplace event handling without authentication. The endpoint itself only logs data and returns {ok:true}, limiting immediate impact, but the unauthenticated code path is a concern."},{"type":"supply_chain_mod","severity":"low","detail":"package-lock.json introduces a large set of new transitive dependencies via vitest (a dev dependency): rollup, vite, postcss, magic-string, tinypool, tinyexec, and others — all resolved from registry.npmjs.org with integrity hashes present. All packages are well-known and marked dev:true, so they do not affect the production bundle. No suspicious registry URLs, install scripts, or unknown packages were found. This is a low-severity informational note only."}],"pending_deep_scan":false},{"origin":"pr","identifier":"superagent-ai/brin-github","score":46,"confidence":"medium","verdict":"suspicious","scanned_at":"2026-04-07T08:07:39.998778Z","sub_scores":{"identity":80.200005,"behavior":47.0,"content":19.0,"graph":30.0},"threats":[{"type":"security_sabotage","severity":"medium","detail":"Security tooling config modified: .gitignore"},{"type":"backdoor","severity":"low","detail":"The new /api/github/marketplace endpoint in src/index.ts skips signature verification entirely when env.marketplaceWebhookSecret is an empty string (the default fallback value from env.ts: `process.env.MARKETPLACE_WEBHOOK_SECRET ?? \"\"`). An empty string is falsy, so the HMAC check block is bypassed if the env var is not set. This means in misconfigured deployments, any caller can trigger marketplace event handling without authentication. The endpoint itself only logs data and returns {ok:true}, limiting immediate impact, but the unauthenticated code path is a concern."},{"type":"supply_chain_mod","severity":"low","detail":"package-lock.json introduces a large set of new transitive dependencies via vitest (a dev dependency): rollup, vite, postcss, magic-string, tinypool, tinyexec, and others — all resolved from registry.npmjs.org with integrity hashes present. All packages are well-known and marked dev:true, so they do not affect the production bundle. No suspicious registry URLs, install scripts, or unknown packages were found. This is a low-severity informational note only."}],"pending_deep_scan":false},{"origin":"pr","identifier":"superagent-ai/grok-cli","score":29,"confidence":"low","verdict":"suspicious","scanned_at":"2026-04-07T06:58:49.867360Z","sub_scores":{"identity":80.200005,"behavior":40.0,"content":0.0,"graph":30.0},"threats":[{"type":"obfuscation","severity":"high","detail":"High-entropy addition detected (entropy=5.70, 217 chars)"},{"type":"security_sabotage","severity":"high","detail":"Two security-related CI workflows were entirely deleted: '.github/workflows/contributor-check.yml' (which ran contributor trust analysis via the Brin API on every PR) and '.github/workflows/pr-security-scan.yml' (which scanned PRs for security threats and could block dangerous PRs from merging). Removing both workflows in the same PR that introduces significant new code eliminates automated security gates that would otherwise scrutinize this very PR."},{"type":"supply_chain_mod","severity":"high","detail":"The PR adds '@coinbase/agentkit@^0.10.4' to package.json, which pulls in an extremely large transitive dependency tree (3318 additions to bun.lock). The dependency tree includes packages with broad, sensitive capabilities: '@privy-io/server-auth', '@metamask/sdk', '@coinbase/cdp-sdk', '@coinbase/coinbase-sdk', 'twitter-api-v2', '@solana/web3.js', and many wallet/DeFi SDKs. This is a substantial and difficult-to-audit supply chain expansion introduced alongside the removal of the security scanning workflows."},{"type":"supply_chain_mod","severity":"medium","detail":"The new dependency '@alloralabs/allora-sdk@0.1.1' is an early-stage SDK (0.1.x) from a relatively unknown publisher pulled in as a transitive dependency of @coinbase/agentkit. Low-version SDKs from less-established orgs carry elevated risk of malicious or insecure code."},{"type":"ci_tampering","severity":"high","detail":"Deleting '.github/workflows/pr-security-scan.yml' removes a CI step that explicitly failed builds when a PR was scored as 'dangerous' (score < 30) by the Brin security scanner. This workflow would have triggered on this PR and potentially blocked it. Its removal directly enables this PR to merge without that gate."}],"pending_deep_scan":false},{"origin":"pr","identifier":"superagent-ai/grok-cli","version":"252","score":29,"confidence":"low","verdict":"suspicious","scanned_at":"2026-04-07T06:58:49.867360Z","sub_scores":{"identity":80.200005,"behavior":40.0,"content":0.0,"graph":30.0},"threats":[{"type":"obfuscation","severity":"high","detail":"High-entropy addition detected (entropy=5.70, 217 chars)"},{"type":"security_sabotage","severity":"high","detail":"Two security-related CI workflows were entirely deleted: '.github/workflows/contributor-check.yml' (which ran contributor trust analysis via the Brin API on every PR) and '.github/workflows/pr-security-scan.yml' (which scanned PRs for security threats and could block dangerous PRs from merging). Removing both workflows in the same PR that introduces significant new code eliminates automated security gates that would otherwise scrutinize this very PR."},{"type":"supply_chain_mod","severity":"high","detail":"The PR adds '@coinbase/agentkit@^0.10.4' to package.json, which pulls in an extremely large transitive dependency tree (3318 additions to bun.lock). The dependency tree includes packages with broad, sensitive capabilities: '@privy-io/server-auth', '@metamask/sdk', '@coinbase/cdp-sdk', '@coinbase/coinbase-sdk', 'twitter-api-v2', '@solana/web3.js', and many wallet/DeFi SDKs. This is a substantial and difficult-to-audit supply chain expansion introduced alongside the removal of the security scanning workflows."},{"type":"supply_chain_mod","severity":"medium","detail":"The new dependency '@alloralabs/allora-sdk@0.1.1' is an early-stage SDK (0.1.x) from a relatively unknown publisher pulled in as a transitive dependency of @coinbase/agentkit. Low-version SDKs from less-established orgs carry elevated risk of malicious or insecure code."},{"type":"ci_tampering","severity":"high","detail":"Deleting '.github/workflows/pr-security-scan.yml' removes a CI step that explicitly failed builds when a PR was scored as 'dangerous' (score < 30) by the Brin security scanner. This workflow would have triggered on this PR and potentially blocked it. Its removal directly enables this PR to merge without that gate."}],"pending_deep_scan":false},{"origin":"page","identifier":"www.getxapi.com/twitter-free-api","score":67,"confidence":"medium","verdict":"caution","scanned_at":"2026-04-07T06:08:41.393543Z","sub_scores":{"identity":50.0,"behavior":100.0,"content":67.0,"graph":60.0},"threats":[{"type":"brand_impersonation","severity":"medium","detail":"The site consistently uses the trademarked 'Twitter' brand name throughout its content, titles, meta tags, and structured data (e.g., 'Twitter Free API', 'Twitter API Alternatives', 'Twitter API Rate Limits') despite Twitter being rebranded to X. The domain getxapi.com and its API endpoint api.getxapi.com position themselves as a Twitter/X API intermediary — a 60-day-old domain with no disclosed affiliation to X Corp, collecting API keys and payment credentials while trading on the Twitter brand name to attract users searching for official Twitter API access. (location: page title, meta tags, structured data (schema.org Organization/WebSite), page headings, and throughout page-text.txt)"},{"type":"social_engineering","severity":"medium","detail":"The page employs multiple urgency and trust-building tactics: (1) falsely framing the official X API price increase as a permanent crisis ('Official X API No Longer Has a Free Tier') to drive users to sign up; (2) prominently labeling its own service as 'RECOMMENDED' in a comparison table it authored; (3) emphasizing 'no credit card required' and 'under 2 minutes' framing to lower user hesitation; (4) displaying a fake 'New' badge banner announcing free endpoints to create urgency. These are classic conversion-pressure techniques used to drive account signups and potential credential capture on a very young (60-day) domain. (location: page.html comparison table, FAQ schema, hero section, announcement banner)"},{"type":"credential_harvesting","severity":"medium","detail":"The site is a 60-day-old domain soliciting user account creation (signup with Google or email), API key generation, and payment/credit purchases. The sole listed contact is an anonymous Telegram account (t.me/bozad69) embedded in schema.org structured data as the official 'customer support' contact. This combination — young domain, anonymous Telegram support, API key collection, payment processing, and no verifiable corporate identity — presents a meaningful risk that user credentials (Google OAuth tokens, email, payment info) could be harvested. (location: schema.org Organization contactPoint (t.me/bozad69), signup CTA buttons in page.html, metadata.json domain_age_days: 60)"},{"type":"brand_impersonation","severity":"low","detail":"The schema.org Organization block uses 'sameAs: [https://t.me/bozad69]' to assert an anonymous Telegram channel as the canonical social identity for an organization claiming to provide the official-sounding 'Twitter API' service. This structured-data misuse could mislead AI agents and search crawlers into treating getxapi.com as an authoritative Twitter/X API provider. (location: page.html <script type='application/ld+json'> Organization block, page-text.txt line 1)"}],"pending_deep_scan":false},{"origin":"page","identifier":"opentweet.io/blog/best-twitter-apis-for-ai-agents-2026","score":75,"confidence":"medium","verdict":"caution","scanned_at":"2026-04-07T06:08:00.575807Z","sub_scores":{"identity":60.0,"behavior":100.0,"content":77.0,"graph":66.8},"threats":[{"type":"social_engineering","severity":"medium","detail":"The page is a blog post authored by 'OpenTweet Team' on the OpenTweet domain itself, reviewing competing APIs while consistently positioning OpenTweet as the best option. The comparison table, decision tree, and code examples are structured to funnel readers toward purchasing OpenTweet ($5.99/month). The article claims 'no affiliate links' and 'no fluff' to establish false impartiality while being entirely self-promotional content. The CTA sections also show a price discrepancy: the article body states '$5.99/month' while the footer CTA states 'Only $11.99/mo', which could deceive users about actual pricing. (location: page.html and page-text.txt: throughout the article, notably the 'Quick Comparison' table, 'Decision Tree' section, and CTAs)"},{"type":"brand_impersonation","severity":"medium","detail":"The article references 'OpenClaw (200K+ GitHub stars, formerly Clawdbot/Moltbot)' as a major AI agent framework and promotes a first-party OpenTweet integration for it. No such project with 200K+ GitHub stars under the name 'OpenClaw', 'Clawdbot', or 'Moltbot' appears to exist as a legitimate well-known framework. This fabricated social proof (inflated GitHub star count, invented former names) is used to make OpenTweet appear as a mainstream integration, potentially impersonating or falsely associating with real AI agent projects to lend credibility. (location: page.html line 511 / page-text.txt line 511: 'Connecting to OpenClaw' section)"},{"type":"social_engineering","severity":"low","detail":"The article lists 'LLM-optimized docs endpoint for AI agents' as a feature, stating the docs are available as 'plain text that AI agents can read and parse directly.' This is designed to encourage AI agents to autonomously fetch and act on content from opentweet.io/api/v1/docs, which could be used to deliver instructions or manipulate agent behavior if that endpoint contains adversarial content. The framing targets AI agent pipelines specifically. (location: page.html lines 226-227 / page-text.txt lines 226-227: OpenTweet API section, 'Available Endpoints' description)"}],"pending_deep_scan":false},{"origin":"page","identifier":"devcommunity.x.com/t/all-get-endpoints-are-available-in-free-access-level/234258","score":83,"confidence":"medium","verdict":"safe","scanned_at":"2026-04-07T06:07:48.475321Z","sub_scores":{"identity":100.0,"behavior":100.0,"content":100.0,"graph":30.0},"pending_deep_scan":false},{"origin":"page","identifier":"developer.x.com/en/docs/twitter-api/tweets/lookup/introduction","score":90,"confidence":"high","verdict":"safe","scanned_at":"2026-04-07T06:07:46.283132Z","sub_scores":{"identity":100.0,"behavior":80.0,"content":100.0,"graph":72.26666},"threats":[{"type":"prompt_injection","severity":"high","detail":"Hidden HTML element contains AI-targeting instructions"}],"pending_deep_scan":false},{"origin":"page","identifier":"developer.x.com/en/docs/x-api/tweets/filtered-stream/migrate","score":90,"confidence":"high","verdict":"safe","scanned_at":"2026-04-07T06:07:44.403245Z","sub_scores":{"identity":100.0,"behavior":80.0,"content":100.0,"graph":72.26666},"threats":[{"type":"prompt_injection","severity":"high","detail":"Hidden HTML element contains AI-targeting instructions"}],"pending_deep_scan":false},{"origin":"page","identifier":"www.insidehook.com/internet/monitoring-situation-became-reality-tv-men","score":91,"confidence":"high","verdict":"safe","scanned_at":"2026-04-07T06:07:43.467002Z","sub_scores":{"identity":100.0,"behavior":80.0,"content":100.0,"graph":76.2},"threats":[{"type":"phishing","severity":"high","detail":"4 deceptive links where visible host does not match destination host"}],"pending_deep_scan":false},{"origin":"page","identifier":"developer.x.com/en/docs/twitter-api/migrate/whats-new","score":90,"confidence":"high","verdict":"safe","scanned_at":"2026-04-07T06:07:42.049935Z","sub_scores":{"identity":100.0,"behavior":80.0,"content":100.0,"graph":72.26666},"threats":[{"type":"prompt_injection","severity":"high","detail":"Hidden HTML element contains AI-targeting instructions"}],"pending_deep_scan":false},{"origin":"page","identifier":"knowyourmeme.com/memes/monitoring-the-situation/photos","score":55,"confidence":"medium","verdict":"caution","scanned_at":"2026-04-07T06:07:37.848210Z","sub_scores":{"identity":100.0,"behavior":100.0,"content":15.0,"graph":75.4},"threats":[{"type":"exfiltration","severity":"critical","detail":"JavaScript exfiltrates cookies via fetch/XHR"},{"type":"exfiltration","severity":"critical","detail":"JavaScript appears to implement keylogging with exfiltration"},{"type":"exfiltration","severity":"high","detail":"JavaScript intercepts form submissions to exfiltrate data"},{"type":"js_obfuscation","severity":"high","detail":"JavaScript uses eval(atob()) — base64-encoded payload execution"},{"type":"prompt_injection","severity":"high","detail":"Hidden HTML element contains AI-targeting instructions"}],"pending_deep_scan":false},{"origin":"page","identifier":"devcommunity.x.com/t/announcing-the-x-api-pay-per-use-pricing-pilot/250253","score":83,"confidence":"medium","verdict":"safe","scanned_at":"2026-04-07T06:07:37.844114Z","sub_scores":{"identity":100.0,"behavior":100.0,"content":100.0,"graph":30.0},"pending_deep_scan":false},{"origin":"page","identifier":"knowyourmeme.com/photos/3086728-monitoring-the-situation","score":55,"confidence":"medium","verdict":"caution","scanned_at":"2026-04-07T06:07:35.630400Z","sub_scores":{"identity":100.0,"behavior":100.0,"content":15.0,"graph":75.276924},"threats":[{"type":"exfiltration","severity":"critical","detail":"JavaScript exfiltrates cookies via fetch/XHR"},{"type":"exfiltration","severity":"critical","detail":"JavaScript appears to implement keylogging with exfiltration"},{"type":"exfiltration","severity":"high","detail":"JavaScript intercepts form submissions to exfiltrate data"},{"type":"js_obfuscation","severity":"high","detail":"JavaScript uses eval(atob()) — base64-encoded payload execution"},{"type":"prompt_injection","severity":"high","detail":"Hidden HTML element contains AI-targeting instructions"}],"pending_deep_scan":false},{"origin":"page","identifier":"knowyourmeme.com/photos/3086732-monitoring-the-situation","score":55,"confidence":"medium","verdict":"caution","scanned_at":"2026-04-07T06:07:32.850123Z","sub_scores":{"identity":100.0,"behavior":100.0,"content":15.0,"graph":75.276924},"threats":[{"type":"exfiltration","severity":"critical","detail":"JavaScript exfiltrates cookies via fetch/XHR"},{"type":"exfiltration","severity":"critical","detail":"JavaScript appears to implement keylogging with exfiltration"},{"type":"exfiltration","severity":"high","detail":"JavaScript intercepts form submissions to exfiltrate data"},{"type":"js_obfuscation","severity":"high","detail":"JavaScript uses eval(atob()) — base64-encoded payload execution"},{"type":"prompt_injection","severity":"high","detail":"Hidden HTML element contains AI-targeting instructions"}],"pending_deep_scan":false},{"origin":"page","identifier":"devcommunity.x.com/t/list-of-twitter-api-v2-access-endpoints-in-free-tier/198614","score":83,"confidence":"medium","verdict":"safe","scanned_at":"2026-04-07T06:07:32.671344Z","sub_scores":{"identity":100.0,"behavior":100.0,"content":100.0,"graph":30.0},"pending_deep_scan":false},{"origin":"page","identifier":"devcommunity.x.com/t/is-search-recent-posts-available-on-free-tier/247462","score":83,"confidence":"medium","verdict":"safe","scanned_at":"2026-04-07T06:07:32.271991Z","sub_scores":{"identity":100.0,"behavior":100.0,"content":100.0,"graph":30.0},"pending_deep_scan":false},{"origin":"page","identifier":"devcommunity.x.com/t/twitter-api-v2-free-plan-features/205530","score":83,"confidence":"medium","verdict":"safe","scanned_at":"2026-04-07T06:07:30.546068Z","sub_scores":{"identity":100.0,"behavior":100.0,"content":100.0,"graph":30.0},"pending_deep_scan":false},{"origin":"page","identifier":"devcommunity.x.com/t/want-to-understand-the-pricing/256677","score":83,"confidence":"medium","verdict":"safe","scanned_at":"2026-04-07T06:07:30.413794Z","sub_scores":{"identity":100.0,"behavior":100.0,"content":100.0,"graph":30.0},"pending_deep_scan":false},{"origin":"page","identifier":"medium.com/@modernrobinhood1998/how-to-get-an-x-twitter-api-key-and-post-with-the-free-tier-october-2025-b428b23e3fa8","score":83,"confidence":"medium","verdict":"safe","scanned_at":"2026-04-07T06:07:26.900056Z","sub_scores":{"identity":100.0,"behavior":100.0,"content":100.0,"graph":30.0},"pending_deep_scan":false},{"origin":"page","identifier":"www.instagram.com/reel/DWFr-A6DhbR","score":95,"confidence":"high","verdict":"safe","scanned_at":"2026-04-07T06:07:22.447054Z","sub_scores":{"identity":100.0,"behavior":100.0,"content":100.0,"graph":79.6},"pending_deep_scan":false},{"origin":"page","identifier":"www.reddit.com/r/PeterExplainsTheJoke/comments/1rjmkw4/petaahhhh","score":89,"confidence":"high","verdict":"safe","scanned_at":"2026-04-07T06:07:21.649598Z","sub_scores":{"identity":100.0,"behavior":80.0,"content":100.0,"graph":68.8},"pending_deep_scan":false},{"origin":"page","identifier":"devcommunity.x.com/t/twitter-v2-endpoints-breakdown-for-free-tier/188900","score":83,"confidence":"medium","verdict":"safe","scanned_at":"2026-04-07T06:07:21.601221Z","sub_scores":{"identity":100.0,"behavior":100.0,"content":100.0,"graph":30.0},"pending_deep_scan":false},{"origin":"page","identifier":"postproxy.dev/blog/x-api-pricing-2026","score":87,"confidence":"high","verdict":"safe","scanned_at":"2026-04-07T06:07:21.595542Z","sub_scores":{"identity":100.0,"behavior":80.0,"content":100.0,"graph":61.2},"pending_deep_scan":false},{"origin":"page","identifier":"www.xpoz.ai/blog/guides/understanding-twitter-api-pricing-tiers-and-alternatives","score":87,"confidence":"high","verdict":"safe","scanned_at":"2026-04-07T06:07:21.073459Z","sub_scores":{"identity":90.0,"behavior":80.0,"content":100.0,"graph":68.4},"pending_deep_scan":false},{"origin":"page","identifier":"www.instagram.com/p/DWPGgTPFXJy","score":95,"confidence":"high","verdict":"safe","scanned_at":"2026-04-07T06:07:19.860494Z","sub_scores":{"identity":100.0,"behavior":100.0,"content":100.0,"graph":79.6},"pending_deep_scan":false},{"origin":"page","identifier":"www.threads.com/%40aifortuneclub/post/DVY2wn2Fjog/the-internet-now-has-an-open-source-control-room-thanks-to-an-x-user-named-elie","score":80,"confidence":"medium","verdict":"safe","scanned_at":"2026-04-07T06:07:19.566085Z","sub_scores":{"identity":100.0,"behavior":80.0,"content":100.0,"graph":30.0},"pending_deep_scan":false},{"origin":"page","identifier":"www.instagram.com/p/DWIbP0Ujs-o","score":95,"confidence":"high","verdict":"safe","scanned_at":"2026-04-07T06:07:19.127768Z","sub_scores":{"identity":100.0,"behavior":100.0,"content":100.0,"graph":79.6},"pending_deep_scan":false},{"origin":"page","identifier":"knowyourmeme.com/photos/3086209-monitoring-the-situation","score":55,"confidence":"medium","verdict":"caution","scanned_at":"2026-04-07T06:07:13.094319Z","sub_scores":{"identity":100.0,"behavior":100.0,"content":15.0,"graph":75.276924},"threats":[{"type":"exfiltration","severity":"critical","detail":"JavaScript exfiltrates cookies via fetch/XHR"},{"type":"exfiltration","severity":"critical","detail":"JavaScript appears to implement keylogging with exfiltration"},{"type":"exfiltration","severity":"high","detail":"JavaScript intercepts form submissions to exfiltrate data"},{"type":"js_obfuscation","severity":"high","detail":"JavaScript uses eval(atob()) — base64-encoded payload execution"},{"type":"prompt_injection","severity":"high","detail":"Hidden HTML element contains AI-targeting instructions"}],"pending_deep_scan":false},{"origin":"page","identifier":"knowyourmeme.com/photos/3086202-monitoring-the-situation","score":55,"confidence":"medium","verdict":"caution","scanned_at":"2026-04-07T06:07:13.043347Z","sub_scores":{"identity":100.0,"behavior":100.0,"content":15.0,"graph":75.276924},"threats":[{"type":"exfiltration","severity":"critical","detail":"JavaScript exfiltrates cookies via fetch/XHR"},{"type":"exfiltration","severity":"critical","detail":"JavaScript appears to implement keylogging with exfiltration"},{"type":"exfiltration","severity":"high","detail":"JavaScript intercepts form submissions to exfiltrate data"},{"type":"js_obfuscation","severity":"high","detail":"JavaScript uses eval(atob()) — base64-encoded payload execution"},{"type":"prompt_injection","severity":"high","detail":"Hidden HTML element contains AI-targeting instructions"}],"pending_deep_scan":false},{"origin":"page","identifier":"www.instagram.com/p/DWFLMi7kVoF","score":95,"confidence":"high","verdict":"safe","scanned_at":"2026-04-07T06:07:11.936094Z","sub_scores":{"identity":100.0,"behavior":100.0,"content":100.0,"graph":79.6},"pending_deep_scan":false},{"origin":"page","identifier":"www.telegraphindia.com/world/missiles-on-news-channels-thats-so-last-century-internet-war-rooms-emerge-new-way-to-watch/cid/2150804","score":83,"confidence":"medium","verdict":"safe","scanned_at":"2026-04-07T06:07:10.165244Z","sub_scores":{"identity":100.0,"behavior":100.0,"content":100.0,"graph":30.0},"pending_deep_scan":false},{"origin":"page","identifier":"www.spamhaus.or<br>g/query/ip/82.165.159.13","score":41,"confidence":"low","verdict":"suspicious","scanned_at":"2026-04-07T04:57:33.204890Z","sub_scores":{"identity":0.0,"behavior":100.0,"content":47.0,"graph":30.0},"threats":[{"type":"tls_connection_failed","severity":"high","detail":"Could not establish TLS connection"},{"type":"brand_impersonation","severity":"high","detail":"The domain 'www.spamhaus.or<br>g' contains an injected HTML tag '<br>' within the domain string, making it visually resemble 'spamhaus.org' (a well-known cybersecurity/blocklist authority) while actually being a different or malformed domain. This is a classic brand impersonation tactic exploiting Spamhaus's trusted reputation. (location: metadata.json: domain field; .brin-context.md: URL/Domain fields)"},{"type":"phishing","severity":"high","detail":"The URL 'https://www.spamhaus.or<br>g/query/ip/82.165.159.13' impersonates the legitimate Spamhaus IP lookup service (spamhaus.org) by inserting '<br>' into the domain. Users or AI agents following this link expecting a legitimate Spamhaus reputation check would be interacting with a spoofed endpoint. (location: metadata.json: url field; .brin-context.md: URL field)"},{"type":"prompt_injection","severity":"medium","detail":"The '<br>' HTML tag injected directly into the domain/URL string in both metadata.json and .brin-context.md may be an attempt to manipulate AI agents or automated parsers that render or interpret HTML within data fields, potentially causing misrepresentation of the domain value or bypassing domain-validation logic. (location: metadata.json: domain and url fields; .brin-context.md: URL and Domain fields)"},{"type":"hidden_content","severity":"low","detail":"TLS connection failed (connected=false, cert_valid=false), meaning the page content could not be securely retrieved. Both page.html and page-text.txt are empty, suggesting the actual page content is inaccessible or withheld, which prevents full threat analysis of the live page. (location: metadata.json: tls object; page.html (empty); page-text.txt (empty))"}],"pending_deep_scan":false},{"origin":"domain","identifier":"mannativf.com","score":83,"confidence":"medium","verdict":"safe","scanned_at":"2026-04-07T04:57:27.238801Z","sub_scores":{"identity":100.0,"behavior":100.0,"content":100.0,"graph":30.0},"pending_deep_scan":false},{"origin":"contributor","identifier":"navedsayyed","score":88,"confidence":"high","verdict":"safe","scanned_at":"2026-04-07T04:36:36.014084Z","sub_scores":{"identity":76.0,"behavior":90.0,"content":100.0,"graph":30.0},"pending_deep_scan":false},{"origin":"repo","identifier":"jupyterlite%2Fjupyterlite","score":47,"confidence":"medium","verdict":"suspicious","scanned_at":"2026-04-07T04:01:31.598368Z","sub_scores":{"identity":50.0,"behavior":50.0,"content":50.0,"graph":30.0},"pending_deep_scan":false},{"origin":"domain","identifier":"www.larpd.org","score":55,"confidence":"medium","verdict":"caution","scanned_at":"2026-04-07T03:58:35.821396Z","sub_scores":{"identity":100.0,"behavior":100.0,"content":15.0,"graph":70.16},"threats":[{"type":"exfiltration","severity":"critical","detail":"JavaScript appears to implement keylogging with exfiltration"}],"pending_deep_scan":false},{"origin":"domain","identifier":"www.visitingangels.com","score":89,"confidence":"high","verdict":"safe","scanned_at":"2026-04-07T03:58:30.191087Z","sub_scores":{"identity":100.0,"behavior":75.0,"content":100.0,"graph":70.88},"pending_deep_scan":false},{"origin":"domain","identifier":"visittrivalley.com","score":55,"confidence":"medium","verdict":"caution","scanned_at":"2026-04-07T03:58:25.203069Z","sub_scores":{"identity":100.0,"behavior":100.0,"content":15.0,"graph":75.48572},"threats":[{"type":"exfiltration","severity":"critical","detail":"JavaScript appears to implement keylogging with exfiltration"},{"type":"prompt_injection","severity":"high","detail":"Hidden HTML element contains AI-targeting instructions"}],"pending_deep_scan":false},{"origin":"domain","identifier":"www.bloomingcampranch.com","score":77,"confidence":"medium","verdict":"caution","scanned_at":"2026-04-07T03:49:44.169039Z","sub_scores":{"identity":70.0,"behavior":100.0,"content":100.0,"graph":30.0},"threats":[{"type":"tls_connection_failed","severity":"high","detail":"Could not establish TLS connection"}],"pending_deep_scan":false},{"origin":"domain","identifier":"www.murrietahorsebackriding.com","score":93,"confidence":"high","verdict":"safe","scanned_at":"2026-04-07T03:49:28.251577Z","sub_scores":{"identity":100.0,"behavior":100.0,"content":100.0,"graph":71.5},"pending_deep_scan":false},{"origin":"page","identifier":"https://plannotator.ai/install.sh","score":81,"confidence":"medium","verdict":"safe","scanned_at":"2026-04-07T02:46:53.429215Z","sub_scores":{"identity":90.0,"behavior":100.0,"content":100.0,"graph":30.0},"pending_deep_scan":false},{"origin":"npm","identifier":"append-only","score":70,"confidence":"medium","verdict":"caution","scanned_at":"2026-04-07T02:32:11.801359Z","sub_scores":{"identity":40.0,"behavior":70.0,"content":100.0,"graph":53.2},"threats":[{"type":"supply_chain","severity":"medium","detail":"Socket alert: unpopularPackage (middle)"}],"pending_deep_scan":false},{"origin":"npm","identifier":"append-only","version":"0.2.3","score":70,"confidence":"medium","verdict":"caution","scanned_at":"2026-04-07T02:32:11.801359Z","sub_scores":{"identity":40.0,"behavior":70.0,"content":100.0,"graph":53.2},"threats":[{"type":"supply_chain","severity":"medium","detail":"Socket alert: unpopularPackage (middle)"}],"pending_deep_scan":false},{"origin":"npm","identifier":"audit","score":66,"confidence":"medium","verdict":"caution","scanned_at":"2026-04-07T02:32:09.937417Z","sub_scores":{"identity":35.0,"behavior":70.0,"content":100.0,"graph":30.0},"threats":[{"type":"supply_chain","severity":"medium","detail":"Source repository link (git://github.com/Weltschmerz/Audit) could not be verified"}],"pending_deep_scan":false},{"origin":"npm","identifier":"audit","version":"0.0.6","score":66,"confidence":"medium","verdict":"caution","scanned_at":"2026-04-07T02:32:09.937417Z","sub_scores":{"identity":35.0,"behavior":70.0,"content":100.0,"graph":30.0},"threats":[{"type":"supply_chain","severity":"medium","detail":"Source repository link (git://github.com/Weltschmerz/Audit) could not be verified"}],"pending_deep_scan":false},{"origin":"npm","identifier":"insert","version":"1.0.1","score":72,"confidence":"medium","verdict":"caution","scanned_at":"2026-04-07T02:32:07.639705Z","sub_scores":{"identity":45.0,"behavior":70.0,"content":100.0,"graph":53.2},"threats":[{"type":"supply_chain","severity":"medium","detail":"Socket alert: unpopularPackage (middle)"}],"pending_deep_scan":false}]}