tron-phish-rules

July 4, 2026 · View on GitHub

TRON-focused phishing URL heuristics — a versioned rule pack plus a small checker.

Rules are derived from the phishing scanner in TRONSEC. No VirusTotal or network calls — fast offline checks.

CLI

npx tron-phish-check https://tron-claim-airdrop.xyz
npx tron-phish-check --json https://tronscan.org

Exit codes: 0 clean/low, 1 medium risk, 2 high risk.

Library

import { checkUrl, loadRules } from 'tron-phish-rules';

const result = checkUrl('https://tr0nscan-secure.top/login');
// { ok, url, hostname, flags: [{ risk, reason, source }], risk: 'high', legit: false }

const custom = loadRules('/path/to/custom-rules.json');
checkUrl('https://example.com', { rules: custom });

Rule pack

Edit or fork rules/tron-phish-v1.json:

  • legitDomains — skip heuristics for known-good hosts
  • hostnameRules / pathRules — regex patterns with risk level
  • suspiciousTlds — TLD blocklist
  • brandTargets — typosquatting distance check

Bump version when you change rules so consumers can pin versions.

Examples

node -e "import {checkUrl} from './src/check.js'; console.log(checkUrl('https://tronscan.org'))"
node bin/tron-phish-check.js https://wallet-connect-secure.xyz

License

MIT