tron-phish-rules
July 4, 2026 · View on GitHub
TRON-focused phishing URL heuristics — a versioned rule pack plus a small checker.
Rules are derived from the phishing scanner in TRONSEC. No VirusTotal or network calls — fast offline checks.
CLI
npx tron-phish-check https://tron-claim-airdrop.xyz
npx tron-phish-check --json https://tronscan.org
Exit codes: 0 clean/low, 1 medium risk, 2 high risk.
Library
import { checkUrl, loadRules } from 'tron-phish-rules';
const result = checkUrl('https://tr0nscan-secure.top/login');
// { ok, url, hostname, flags: [{ risk, reason, source }], risk: 'high', legit: false }
const custom = loadRules('/path/to/custom-rules.json');
checkUrl('https://example.com', { rules: custom });
Rule pack
Edit or fork rules/tron-phish-v1.json:
legitDomains— skip heuristics for known-good hostshostnameRules/pathRules— regex patterns with risk levelsuspiciousTlds— TLD blocklistbrandTargets— typosquatting distance check
Bump version when you change rules so consumers can pin versions.
Examples
node -e "import {checkUrl} from './src/check.js'; console.log(checkUrl('https://tronscan.org'))"
node bin/tron-phish-check.js https://wallet-connect-secure.xyz
Related
- tronsec — full terminal with VT + heuristics
- tronsec-worker-starter — optional VT proxy
License
MIT