0/100

critical Risk

compilerhub.org

https://compilerhub.org/

172.67.150.145 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

21 days

HTTP

200 · 26.9s

SSL

Valid· E8, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "CODE COMPILER"

Save

Linked Phishing Report

This scan is attached to a vendor submission report

Brand

compilyn.net

Vendors

22/31

Status

partial

✓ avast✓ brightcloud✓ bitdefender✓ polyswarm✗ threatyeti✗ chainpatrol✓ yandex✗ norton✓ microsoft✓ eset✓ avg⟳ apple⟳ openphish✓ phishreport⟳ isitphish✓ spamhaus✓ urlquery⟳ cisa✓ netcraft⟳ apwg⟳ emsisoft✓ sophos✓ virustotal✓ fortiguard✓ urlscan✓ phishtank✓ urlabuse✓ drweb✓ mcafee✓ kaspersky✓ google

KB/IOK Matches (1)May 30, 2026, 12:40 AM UTC

remix.live-clone-kit

remix-live-clone-kit

high

Directives: skipAi, skipUnblocker, skipMobileVariant

compilyn.net

Unknown

technology | education | fintech · 6/3/2026

Summary

The page presents a CODE COMPILER title on compilyn.net with SPA-like behavior inferred from many JS assets and API endpoints. The page appears to be a code editor environment rather than a classic credential phishing form, and there is no explicit impersonation of a well-known brand in the visible UI. However, several tracking endpoints and wallet-related scripts are loaded, indicating analytics and potential blockchain wallet interactions. The evidence does not conclusively show credential harvesting or impersonation of a third-party brand, but the presence of tracking/config endpoints and wallet integration warrants cautious monitoring for abuse potential. Analyst flagged likely cloaking/evasion behavior for this target. Analyst context noted: Analyst note: this target may cloak content or block scanners.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸Content changed across stages: visible text changed materially.

▸POST targets observed during capture: https://compilerhub.org/cdn-cgi/rum?.

▸Distinctive asset clues: editor.js, javascript.min.js, codemirror.min.css, mobile.css.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: Yes

visible text changed materially

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 39

Hosts: 3

Domains: 3

Attack Techniques (2)

SPA-like behavior with credential capture risk due to dynamically rendered forms (no static login fields in HTML but multiple JS bundles loaded).External analytics / ad-related requests and wallet-connect integrations suggesting potential data exfiltration paths via tracking endpoints.

Indicators of Compromise (2)

▸No static login form in HTML; SPA likely renders forms via JavaScript (credential capture risk).

▸Screenshots show a UI titled CODE COMPILER with CodeMirror editor rather than a known brand, suggesting a development tool rather than impersonation of a payment or login-flow site.

Risk AssessmentUsed in abuse reports

The domain compilyn.net is newly registered and resolves behind Cloudflare. The page loads numerous third-party scripts (Google Analytics/Ads, Cloudflare beacon, CodeMirror, Web3, WalletConnect) and exposes endpoints for tracking and wallet-related actions. There is no static login form observed in the HTML, but the SPA architecture means credential capture could occur via dynamically injected forms. While there is no definitive impersonation of a well-known brand, the combination of wallet integration and tracking suggests potential data exposure risks if misused. Recommend monitoring and further analysis of network requests and data handling in the SPA to rule out credential or sensitive data capture. Analyst-reported cloaking/evasion suspicion increases confidence that the operator is actively attempting to evade automated security analysis. Analyst context was provided and corroborated during this assessment (Analyst note: this target may cloak content or block scanners.).

Recommended Action

Monitor

Cross-Reference9

URL Intelligence