vaxo94 framework · static + runtime recon pipeline

vaxo94 Recon Framework: mekvle + extract-domains

extract-domains performs offline static analysis across JS bundles, config files, WASM, container images, and multi-ecosystem package manifests — recovering every URL, hostname, and package identifier that could represent a supply chain attack vector.

mekvle orchestrates multiple reconnaissance, crawling, interception, and static-analysis engines into a recursive multi-level pipeline where each level's findings seed the next. This recursive depth is what makes the tool dangerous: a domain that appears only at level 5 — four hops removed from the original target — may seem irrelevant, but the attack path runs in reverse.

If target.com (level 1) loads a bundle from cdn-a.com (level 2), which imports a utility from lib-b.io (level 3), which pulls a polyfill from old-package.net (level 4), which references a script on expired-domain.xyz (level 5) — and expired-domain.xyz has lapsed and can be freely registered — an attacker who registers it serves arbitrary JavaScript that executes in the browser context of target.com. Full XSS, session theft, credential harvesting — with zero interaction from the target's engineering team, because the vulnerable link is four layers deep in a dependency chain no one is monitoring.

The pipeline flags these as subdomain_takeover_candidate and dependency_confusion_candidate findings, ranked by the shortest path back to the original target.

Donate to vaxo94

Donations directly support continued development, testing infrastructure, and maintenance of this research framework.

vaxo94@vaxo94:~$ mekvle --no-dep-confusion
==========================================
[>>] Level 1 start (290 input URLs from alive.txt)
==========================================
[1] Running response checks for every URL listed in alive.txt...
[done] response output collected
[1] Crawling discovered links with supporting collectors and saving results to out.txt...
[done] crawl output saved to out.txt
[1] Extracting unique links from the collected output...
[done] unique Level 1 links exported
[1] Deep parsing output files with extract_domains for previously unknown links...
[>>] Level 2 start (all links discovered at Level 1 -> level1.txt)
[2] Running response checks for every URL listed in level1.txt...
[loop] mekvle repeats the same workflow up to Level 10

Core tools

Two custom tools built for deep attack-surface discovery

extract-domains sees what is written into files. mekvle sees what the target reveals when crawling, downloading, proxying browser traffic, and validating the results repeatedly.

Static analyzer

extract-domains

-h, --help Show help message and exit

--version, -V Print version and exit

target Target directory, default: current directory

output Output file, default: extract_domains_output.txt

--workers WORKERS, -w WORKERS Number of parallel workers, default: CPU count

--no-global-var-map Skip the cross-file variable-map pre-scan for very large directories

--depth DEPTH, -d DEPTH Match files at an exact directory depth

--refresh-tlds Force refresh the TLD cache from IANA

--wordlist WORDLIST, -W WORDLIST Optional wordlist for cross-reference

--supply-chain-only Output only URLs found via supply chain patterns

--tags Append source tags as a third TSV output column

--stdin Read a single response or HTTP capture from stdin

--stdin-format auto|http|har|json|text Hint to the stdin reader

--har HAR_FILE Treat the named file as a HAR archive

--ast auto|on|off JavaScript AST extraction mode

--max-ast-bytes MAX_AST_BYTES Per-file AST parse ceiling in bytes

--scope HOST_OR_PATTERN Restrict output to scoped URL hosts

--third-party-only FIRST_PARTY Only emit URLs outside the first-party eTLD+1

--json-output JSON_FILE Write a machine-readable JSON report

--asset-graph GRAPH_JSON Write an optional asset graph JSON report

--asset-graph-summary SUMMARY_JSON Write only the asset graph summary JSON

--takeover-report TAKEOVER_FILE Write takeover candidate URLs

--dep-confusion Include package/module name findings in supply-chain-only output

Recon orchestrator

mekvle

-h, --help Show help message and exit

--skip-download Skip per-URL download stage

--skip-crawl Skip crawler + MITM capture

--skip-extraction Skip extract-domains static analysis

--skip-scan Skip final validation stage

--only-merge Only merge existing files

--no-mitm Disable MITM capture

--mitm-port MITM_PORT MITM listen port, default 8080

--dep-confusion / --no-dep-confusion Toggle dependency-confusion mode

Recursive depth

Why a fifth-level domain can still compromise the first-level target

extract-domains performs offline static analysis across JS bundles, config files, WASM, container images, and multi-ecosystem package manifests, recovering every URL, hostname, and package identifier that could represent a supply chain attack vector.

mekvle orchestrates reconnaissance, crawling, interception, and static-analysis stages into a recursive multi-level pipeline where each level's findings seed the next. That recursive depth is the advantage: a domain that appears only at level 5 may look distant, but the attack path runs in reverse.

Level 1

target.com

Original target loads a public asset.

Level 2

cdn-a.com

The asset chain moves through a third-party CDN.

Level 3

lib-b.io

A utility dependency adds another remote source.

Level 4

old-package.net

An older package references legacy infrastructure.

Level 5

expired-domain.xyz

A lapsed domain becomes a takeover candidate.

Attack path runs in reverse

If target.com loads a bundle from cdn-a.com, which imports lib-b.io, which pulls old-package.net, which references expired-domain.xyz, then the fifth-level domain can still become part of the first-level target's browser execution path.

Business impact

If expired-domain.xyz has lapsed and can be registered, an attacker can serve arbitrary JavaScript that executes in the browser context of target.com. The result can be XSS, session theft, credential harvesting, or silent data collection without a new code change from the target's engineering team.

How the framework ranks it

The pipeline flags these paths as candidate findings and ranks them by the shortest verified path back to the original target, making deeply nested supply-chain risk visible and reviewable.

subdomain_takeover_candidate dependency_confusion_candidate shortest_path_priority

Demo video

Embed placeholder for a defensive walkthrough, audit workflow, or conference-safe product demo.

Video / embed placeholder