GitHub

Kit Signature

Matches a page's HTML and JavaScript against threat-intel signatures of known phishing and malware kits

Matches a page’s HTML and JavaScript against threat-intel signatures of known phishing and malware kits (for example the Calendly credential kit). A signature fires on the structural fingerprint of a kit, so it can catch an injected, token-gated standalone page that impersonates a brand’s login or booking surface even when the softer heuristic integrity rules miss it.

Rule IDintegrity/kit-signature
CategorySite Integrity
ScopePage
Severityerror
Weight9/10

How it works

This rule is part of the opt-in threat-intel feature ([intel]). When the feature is on, squirrelscan loads a set of bundled kit signatures before the audit rules run, then matches each page against them using:

  • the page URL and title,
  • the page HTML and extracted text, and
  • the bodies of inline and external scripts attached to that page.

Signatures are written to be high precision: each one requires several corroborating strings on the same page (a brand lexicon plus a kit tell), so a casual mention never trips it. Because the signature already demands multiple corroborating strings, a match reports a failure directly rather than going through the correlation gate the heuristic integrity rules use.

The signatures ship with squirrelscan and need no API key or network access, so this rule works on every opted-in audit, both from the CLI and in the cloud. When the [intel] feature is off, ctx.intel is undefined and the rule does nothing: it never reports a page as clean for signatures it never ran.

Enable the feature

Threat-intel is off by default. Turn it on to activate this rule:

squirrel.toml
toml
[intel]
enabled = true            # off by default

Solution

A page matching a known kit signature is a strong indicator that your site is compromised: an injected, often token-gated standalone page that impersonates a brand’s login or booking surface to harvest credentials. Remove the page and any unexpected files, rotate credentials, audit server access logs, and review for a web shell or an injected loader. Signatures are high precision (they require multiple corroborating strings), so a match is not a casual false positive.

Enable / Disable

Disable this rule

squirrel.toml
toml
[rules]
disable = ["integrity/kit-signature"]

Disable all Site Integrity rules

squirrel.toml
toml
[rules]
disable = ["integrity/*"]

Type to search…

↑↓ navigate ↵ open esc close