Add daemon-guarded-4535.vercel.app to blocklist

[NoirReports]

Blocklist Addition: daemon-guarded-4535.vercel.app

Summary

Adding daemon-guarded-4535.vercel.app to the Phantom blocklist. This domain is an active Solana wallet drainer — it prompts users to connect their Phantom wallet and then submits malicious transactions to steal all SOL and SPL tokens.

Evidence

• urlscan.io result: View Scan
• The scan shows the site loading wallet connection prompts and injected JavaScript

Domain Intelligence

(no WHOIS/intel data available)

Attack Details

• Target: Phantom and other Solana wallet users
• Method: Fake dApp UI → wallet connection prompt → malicious drain transactions
• Impact: Complete wallet drain (SOL + all SPL tokens)
• Distribution: Social media, Discord DMs, fake airdrop campaigns
• Technical: Obfuscated JS, anti-analysis techniques, transaction simulation spoofing

Verification

• Confirmed the domain is actively malicious
• Domain is not already on the blocklist
• Simultaneously reported to MetaMask, Solflare, ScamSniffer, and Google Safe Browsing

Summary by CodeRabbit

• Chores
  • Updated blocklist to include an additional blocked domain.

[coderabbitai]

📝 Walkthrough

Walkthrough

A single URL entry, daemon-guarded-4535.vercel.app, was added to the blocklist configuration file. No other modifications were made.

Changes

Cohort / File(s)	Summary
Blocklist Configuration blocklist.yaml	Added one URL entry to the blocklist. No other entries were modified.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately describes the main change—adding a specific domain to the blocklist, which matches the file modification and PR objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@blocklist.yaml`:
- Line 2322: The blocklist entry "url: daemon-guarded-4535.vercel.app" lacks
independent verification; before merging, confirm the urlscan.io finding
documents active malicious behavior (not just a static news clone) and
cross-check the domain against at least one independent threat feed such as
ScamSniffer, abuse.ch/URLhaus, or Google Safe Browsing; if verification fails,
remove or flag the "daemon-guarded-4535.vercel.app" entry in blocklist.yaml and
instead add a temporary note/metadata indicating unconfirmed status and
recommendation to monitor for Vercel ephemeral redeployments.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Query URLhaus (abuse.ch) for threat information on the domain
echo "=== URLhaus Lookup ==="
curl -s --max-time 15 \
  "https://urlhaus-api.abuse.ch/v1/host/" \
  -d "host=daemon-guarded-4535.vercel.app" 2>/dev/null | python3 -m json.tool 2>/dev/null || echo "URLhaus lookup unavailable"

Repository: phantom/blocklist

Length of output: 115

---

🌐 Web query:

daemon-guarded-4535.vercel.app phishing scam threat

💡 Result:

The specific URL daemon-guarded-4535.vercel.app does not show obvious phishing behavior in a basic check: it currently serves what looks like a static “Lobsters” news-front-page clone, and the “Login / Recent / Comments / Search” links on that page don’t actually work (they return 404), which is consistent with a copied or incomplete static page rather than a functional credential-harvesting site. [1]

That said, .vercel.app subdomains are frequently abused in phishing/malware campaigns because they inherit trust from a legitimate hosting provider, and multiple threat reports document attackers hosting fake login/document pages and malware delivery on Vercel. [2][3]

What to do (safe handling)

• If you encountered this link via an email/DM/ad, treat it as suspicious and don’t enter credentials or download anything.
• If you already interacted with it (typed passwords, OAuth, downloaded files), tell me what you did and what it asked for, and I’ll walk you through incident steps.
• You can report the URL to Vercel (abuse report) and to your email/security tooling; campaigns often rotate to new subdomains quickly. [2][3]

Bottom line: I don’t see direct evidence (from this quick content check) that this exact subdomain is actively phishing right now, but because Vercel subdomains are commonly used for phishing, you should treat it as untrusted unless you can verify who sent it and why. [1][2][3]

Sources: [1] [2] [3]

---

🌐 Web query:

asdhhasdjjoizxoicjzxc GitHub user

💡 Result:

The GitHub username asdhhasdjjoizxoicjzxc belongs to a user whose display name is “Noir.”. The profile shows 3 public repositories, all forks: blocklist (from phantom/blocklist), scam-database (from scamsniffer/scam-database), and eth-phishing-detect (from MetaMask/eth-phishing-detect). [1]

Source(s):
[1] (github.com)

Citations:

• 1: https://github.com/asdhhasdjjoizxoicjzxc

---

Independently verify the domain threat before merging — submitter identity is legitimate, but threat evidence remains unconfirmed.

One significant concern and one operational note warrant review:

1. Unverified threat: The only threat evidence is a self-supplied urlscan.io scan. No independent threat-intelligence confirmation found in URLhaus, ScamSniffer, or public security feeds. Current web inspection shows the domain serving static content (non-functional news clone), not an active credential-harvester—though .vercel.app subdomains are frequently abused for phishing and should be treated cautiously.

2. Vercel ephemeral deployments: Even if confirmed malicious, Vercel auto-generated subdomains (adjective-noun-number pattern) are ephemeral. The attacker can redeploy at a new URL immediately. A single-entry block may offer only short-term protection.

Note: The submitter (asdhhasdjjoizxoicjzxc, GitHub: "Noir") has an established GitHub presence with forks of legitimate security projects (phantom/blocklist, scamsniffer/scam-database, MetaMask/eth-phishing-detect), indicating active security research involvement rather than a throwaway account.

Recommended verification before merge:

• Confirm the urlscan.io result actually documents active malicious behavior (not just a static copy).
• Cross-reference against at least one independent public feed: ScamSniffer, abuse.ch URLhaus, or Google Safe Browsing.
• Consider whether Vercel-wide abuse patterns warrant a broader policy discussion, since single-entry blocks on ephemeral Vercel subdomains have limited durability.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@blocklist.yaml` at line 2322, The blocklist entry "url:
daemon-guarded-4535.vercel.app" lacks independent verification; before merging,
confirm the urlscan.io finding documents active malicious behavior (not just a
static news clone) and cross-check the domain against at least one independent
threat feed such as ScamSniffer, abuse.ch/URLhaus, or Google Safe Browsing; if
verification fails, remove or flag the "daemon-guarded-4535.vercel.app" entry in
blocklist.yaml and instead add a temporary note/metadata indicating unconfirmed
status and recommendation to monitor for Vercel ephemeral redeployments.