Unpinched
Instant triage for PinchTab and agentic browser bridge exposure.
When PinchTab was disclosed, incident responders had no fast way to check if it was present in their environment. Standard EDR and SIEM had no signatures for it. Unpinched was built to answer one question in 30 seconds: is it here?
Status
Active
Language
Go
License
MIT
Platforms
macOS · Linux · Windows
Install
go install github.com/helixar-ai/unpinched@latestThe Problem
PinchTab is a stealth browser attack class that bridges AI agent tool calls directly to a victim's browser session. It exploits the Chrome DevTools Protocol, a legitimate debugging interface, to give an agent full read/write access to every open tab, without triggering any browser security prompt and without appearing in standard endpoint detection logs.
When details of the technique became public, enterprise security teams faced an immediate problem: they had no way to quickly determine whether PinchTab tooling was deployed in their environment. The attack leaves artifacts, running processes, open ports, CDP endpoints, filesystem markers, but no single tool surfaced them in one sweep across all three major operating systems.
Unpinched was built as a fast-response triage tool for exactly this scenario. One binary. One command. A clear yes/no answer in under 30 seconds.
What It Does
Port & API Exposure
Scans ports 8080–8090, 3000, 4000, 9222, and 9229 for PinchTab HTTP API listeners and bridge service endpoints.
Process Detection
Enumerates running processes for pinchtab, pinchtab-server, and browser-bridge executables across all three operating systems.
CDP Bridge Detection
Checks localhost:9222 for unauthenticated Chrome DevTools Protocol endpoint exposure, the core mechanism behind PinchTab attacks.
Filesystem Artifact Search
Searches known installation paths across macOS, Linux, and Windows for PinchTab configuration files, binaries, and runtime artifacts.
Quick Start
Install and run a full environment sweep in under a minute.
$ go install github.com/helixar-ai/unpinched@latest ✓ unpinched installed $ unpinched scan Scanning ports 8080-8090, 3000, 4000, 9222, 9229... Checking running processes... Probing CDP endpoint on localhost:9222... Searching filesystem artifacts... ⚠ CDP bridge detected on :9222 (unauthenticated) ✗ Risk level: HIGH # Machine-readable output for SIEM/SOAR integration $ unpinched scan --json
More from Helixar Labs
Other open protocols and tools from the team.
Scan, harden, sign, and attest every build artifact before it ships.
Seven-domain security framework for production MCP deployments.
Automated 26-rule security scanner for MCP server infrastructure.
Open protocol for verifiable human delegation in agentic AI systems.
Know in 30 seconds. Is PinchTab running in your environment?
Unpinched is open source, MIT licensed, and runs on macOS, Linux, and Windows.
Talk to Us