Helixar Labs
DetectorApache 2.0Go

Unpinched

Instant triage for PinchTab and agentic browser-bridge exposure.

When PinchTab was disclosed, incident responders had no fast way to check whether it was in their environment — standard EDR and SIEM had no signatures. Unpinched answers one question in 30 seconds: is it here?

Status
Active
Language
Go
License
Apache 2.0
Platforms
macOS · Linux · Windows
Install
go install github.com/helixar-ai/unpinched@latest

What it scans

PinchTab leaves artifacts but no signature. Unpinched sweeps all four in one pass, across macOS, Linux, and Windows.

Ports & API

Ports 8080–8090, 3000, 4000, 9222, 9229 for PinchTab HTTP listeners and bridge endpoints.

Processes

Running pinchtab, pinchtab-server, and browser-bridge executables on every OS.

CDP bridge

localhost:9222 for the unauthenticated Chrome DevTools endpoint the attack relies on.

Filesystem

Known install paths for PinchTab config files, binaries, and runtime artifacts.

One command, a clear answer

A single binary and a yes/no verdict in under 30 seconds. Add --json for SIEM/SOAR.

unpinched
$ unpinched scan
Scanning ports, processes, CDP, filesystem…
⚠ CDP bridge detected on :9222 (unauthenticated)
✗ Risk level: HIGH
 
$ unpinched scan --json # machine-readable for SIEM/SOAR