Evilpuppet
The evilpuppet section attaches an Evilpuppet plugin to the phishlet. Evilpuppet is Evilginx's browser-automation module — it drives a real browser session in the background to handle interactions that a pure HTTP proxy cannot, such as solving anti-bot challenges or completing authentication flows that depend on client-side state.
A phishlet declares its Evilpuppet plugin by pointing at a JavaScript file in the phishlet's own evilpuppet/ directory.
Shape
evilpuppet: {
plugin: "@plugin.js"
}
| Field | Type | Required | Description |
|---|---|---|---|
plugin | string | no | The plugin file to load, relative to the phishlet's evilpuppet/ directory. Must start with @. |
@ is mandatoryUnlike most other fields that accept @, evilpuppet.plugin is file-only — it cannot be an inline string. Forgetting the @ produces the error "evilpuppet: plugin must point to a local script file using a `@` prefix" at load time.
The path after the @ is resolved against <phishlet-directory>/evilpuppet/. So plugin: "@plugin.js" loads <phishlet-directory>/evilpuppet/plugin.js.
Omit the evilpuppet section entirely if the phishlet does not need browser automation.
Disk layout
my-phishlet/
├── config.hjson
├── static/
└── evilpuppet/
└── plugin.js ← referenced by evilpuppet.plugin
The contents and API of Evilpuppet plugins themselves are out of scope for this page — this section only documents how a phishlet declares its plugin.