# node-extensions.pages.dev — SUSPICIOUS > PhishDestroy warns node-extensions.pages.dev is a crypto drainer impersonating Node.js extensions. 0/95 VirusTotal detections. ## Summary PhishDestroy identifies node-extensions.pages.dev as a generic phishing domain hosting a crypto drainer kit designed to deceive users into connecting crypto wallets under the guise of Node.js extensions. The domain shows no branding affiliation with Node.js or Cloudflare but leverages Cloudflare Pages to host malicious scripts that siphon cryptocurrency funds upon wallet connection. Threat actors commonly deploy crypto drainers on deceptive subdomains mimicking legitimate developer tools, exploiting trust in well-known frameworks to trick users into executing unauthorized transactions. This domain was registered through Cloudflare, Inc., resolving to IP 172.66.44.123 with a Google Trust Services SSL certificate. VirusTotal currently shows 0/95 detections, indicating it remains undetected by most antivirus engines as of the latest scan. The domain’s creation date and additional historical data are under review, but Cloudflare Pages integration suggests recent deployment typical of fast-moving phishing campaigns. The absence of detections highlights the challenge in early identification, though behavioral analysis reveals red flags such as the promotion of wallet-draining scripts disguised as extension downloads. As of this report, node-extensions.pages.dev remains active with a risk level marked as under investigation. Security researchers have flagged the domain for hosting crypto drainer payloads, and PhishDestroy advises users to avoid interacting with the site pending further analysis. While the current risk is speculative, the lack of VirusTotal detections and Cloudflare’s hosting infrastructure complicates immediate takedown. Users are urged to verify the legitimacy of any Node.js-related extensions only through trusted sources and to cross-check domains using PhishDestroy before engaging. Remaining risk is moderate given the domain’s active status and potential for future campaign escalation. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registrar: Cloudflare, Inc. - IP: 172.66.44.123 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/domains/node-extensions.pages.dev - PhishDestroy: https://phishdestroy.io/domain/node-extensions.pages.dev/ - LLM endpoint: https://phishdestroy.io/domain/node-extensions.pages.dev/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/node-extensions.pages.dev/ Last updated: 2026-04-07