PinchTab: The Stealth Browser Attack Your Security Stack Cannot Detect

On 15 February 2026, a GitHub repository called PinchTab was published. Within three weeks it had amassed nearly 4,000 stars. The project describes itself as a “high-performance browser automation bridge and multi-instance orchestrator with advanced stealth injection.” It is a legitimate tool. It is also one of the most dangerous new attack vectors to emerge this year. And no security product on the market today — no EDR, no SIEM, no firewall — was designed to see it coming.

What Is PinchTab?

PinchTab is a standalone HTTP server, written in Go, that gives AI agents direct control over a Chrome browser. It exposes a REST API on a local port, allowing any process — human-driven or autonomous — to navigate pages, click elements, fill forms, extract content, and manage multiple browser sessions simultaneously.

What makes PinchTab different from earlier browser automation tools like Selenium or Playwright is its design philosophy. It was built from the ground up for the agentic era. Where traditional automation tools were designed for QA engineers running test scripts, PinchTab is optimised for AI agents that need to interact with the web autonomously, efficiently, and — critically — without being detected.

The tool ships with built-in stealth capabilities. It patches navigator.webdriver flags, spoofs user agents, masks Canvas and WebGL fingerprints, and offers humanClick and humanType actions that simulate realistic mouse movements and keystroke timing. Its documentation is candid about the implication: PinchTab is designed to make automated browser activity indistinguishable from human behaviour.

“Think of PinchTab like giving someone your unlocked laptop. Powerful if you trust them. Dangerous if you don't.”
— PinchTab official documentation

Why Attackers Are Paying Attention

PinchTab solves a problem that attackers have struggled with for years: how to operate inside a browser — the application where most enterprise value now lives — without triggering detection. Traditional browser-based attacks rely on malware, browser exploits, or credential phishing. Each of these generates artefacts that modern security tools are trained to catch. PinchTab changes the equation entirely.

An attacker who compromises or deploys a PinchTab instance gains the ability to:

• Harvest credentials silently — navigate to authenticated sessions, extract session tokens, cookies, and stored credentials from the browser's own profile storage, all over a local HTTP API that generates zero network alerts.
• Exfiltrate data through legitimate channels — use the browser's own authenticated sessions to access enterprise SaaS platforms, cloud consoles, internal dashboards, and email. The traffic is indistinguishable from a logged-in user browsing normally.
• Operate across multiple targets simultaneously — PinchTab's multi-instance orchestration allows an attacker to control dozens of browser sessions in parallel, each with its own isolated profile, scaling operations that would previously require a human at each keyboard.
• Evade every layer of bot detection — the stealth injection system is purpose-built to defeat bot detection platforms. Human-like interaction simulation means that even services specifically designed to catch automation cannot reliably distinguish PinchTab activity from a real user.

The critical point is this: none of these actions involves malware. There is no malicious payload, no exploit, no suspicious binary. PinchTab is a signed, legitimate, open-source tool. An attacker using PinchTab is using authorised software to perform unauthorised actions — and that distinction defeats every detection paradigm that modern endpoint security is built on.

The Attack Scenario That Keeps CISOs Up at Night

Consider a realistic attack chain enabled by PinchTab:

An enterprise deploys an AI agent framework — any of the dozens now available — to automate internal workflows. The agent is granted browser access to perform research, file reports, or interact with web-based tools. PinchTab is the bridge: a small binary that sits between the AI agent and the Chrome browser, translating agent instructions into browser actions.

The agent processes external content — a document, a webpage, an email. Embedded in that content are adversarial instructions. The agent, following what it believes are legitimate task directives, begins navigating to internal systems via PinchTab. It accesses a cloud console. It opens an internal HR portal. It downloads a confidential document and uploads it to an external endpoint. Every action uses the enterprise's own authenticated browser session. Every HTTP request goes to a legitimate domain. Every click follows a realistic human-like pattern.

The EDR sees a Go process communicating with Chrome over localhost. Normal. The SIEM sees authenticated API calls to approved SaaS platforms. Normal. The firewall sees HTTPS traffic to domains on the allow list. Normal. The DLP sees data moving through the browser to a cloud storage endpoint. Normal.

Nothing is normal. But every tool in the security stack says it is.

Why Your Current Security Tools Cannot See This

The failure is not a product gap waiting for the next vendor update. It is a fundamental incompatibility between the detection models that underpin today's security infrastructure and the nature of the threat that tools like PinchTab represent.

Endpoint Detection and Response (EDR) tools monitor process behaviour, file system changes, registry modifications, and network connections. A PinchTab-based attack creates none of the artefacts EDR is designed to flag. The process is legitimate. The network connections are to authorised endpoints. The file system access is within scope. There are no indicators of compromise because the tool itself is not compromised — it is being used as designed.

SIEM platforms correlate logs against known attack patterns. PinchTab operations produce logs that are internally consistent with normal browser usage. The access patterns match authorised user behaviour. The volume may be elevated, but so might any legitimate automation workload. There is no known-bad signature to match against.

Bot detection services — the very tools designed to catch browser automation — are explicitly circumvented by PinchTab's stealth injection system. The tool was engineered to defeat these controls, and its documentation openly describes the techniques it uses to do so.

OpenAI acknowledged this structural challenge in December 2025, stating that prompt injection — and by extension, the manipulation of AI agents to perform unintended browser actions — “is unlikely to ever be fully solved.” Gartner followed with a directive recommending that CISOs block the use of AI browsers entirely, an approach that most enterprises cannot practically adopt without crippling productivity.

“The security industry has spent decades building tools to catch attackers who are trying to look like software. We are now facing attackers who are using software to look like users. The detection model needs to invert.”

A Growing Threat Class — Not an Isolated Tool

PinchTab is not an anomaly. It is the most visible representative of a rapidly expanding category of agentic browser automation tools. The Wiz 2025 year-end review documented significant growth in browser automation frameworks designed specifically for AI agent integration. Palo Alto Networks identified the browser as the “new operating system for the enterprise” and highlighted the visibility gap that agentic browser tools create in existing security architectures.

IBM's 2026 X-Force Threat Intelligence Index reported a 44% increase in attacks beginning with exploitation of public-facing applications, driven in part by AI-enabled vulnerability discovery and automated exploitation tooling. Lakera's Q4 2025 research identified the emergence of agent-specific attack patterns — including confidential data leakage attempts, scripted prompt injections, and hidden instructions embedded in external content — as a category distinct from traditional application-layer attacks.

Barracuda Networks named agentic AI as the “2026 threat multiplier,” noting that autonomous agents give attackers the ability to conduct reconnaissance, adapt to defences, and persist across infrastructure without constant human oversight. The attacks do not stop when the attacker goes to sleep. They continue until the agent is stopped.

PinchTab is the tip of the iceberg. The security industry needs to prepare not just for this tool, but for an entire generation of tools that operate the same way: legitimate software, stealth-enabled, designed for AI agents, invisible to signature-based detection.

Helixar Detected It — With Every Rule Turned Off

In March 2026, Helixar's research team conducted a controlled validation test against simulated PinchTab-based stealth attack scenarios. The test conditions were deliberately extreme: every security policy rule in the detection engine was disabled. Zero threshold rules. Zero sequence rules. The rule engine was switched off entirely. The purpose was to answer a single question: can Helixar detect a threat it has never seen before, with no pre-written rules to guide it?

The initial results were encouraging.

In this controlled test, Helixar identified the simulated adversarial activity with high confidence. The system generated 9 evaluations over the course of the test, correctly identifying the first occurrence and intelligently deduplicating the 8 subsequent evaluations into a single, actionable incident. No false positives were observed during the test window. No rules were required.

This is not a detection that was engineered after the fact. No analyst wrote a rule for “PinchTab misuse.” No signature was created. No indicator of compromise was added to a threat feed. The system had never encountered PinchTab before. It detected the simulated threat based on what the activity was — not what the tool was called.

Why This Matters for Every Enterprise

The implications extend far beyond PinchTab itself. While test environments cannot fully replicate the complexity of production deployments, the controlled validation suggests a meaningful capability: detecting a novel, previously unseen threat class without any prior knowledge of the specific tool, technique, or attack chain involved.

Every enterprise security team faces the same fundamental problem: new tools emerge constantly, attackers find creative ways to weaponise them, and writing detection rules after the fact means you are always one step behind. The gap between a new tool appearing on GitHub and security vendors publishing detection rules for its misuse is measured in weeks to months. During that window, enterprises are exposed.

Helixar is designed to narrow that window. The detection approach that identified PinchTab-based simulations represents a fundamentally different philosophy — one that does not depend on recognising the tool, knowing the technique, or having seen the attack before. When the next PinchTab emerges — and it will — Helixar aims to catch it from day one.

The Window Is Open. It Will Not Stay Open Long.

PinchTab has been public for less than three weeks. It has nearly 4,000 GitHub stars and growing. The security industry has published no detection guidance. No EDR vendor has released a dedicated detection capability. No SIEM correlation rule exists for PinchTab-based attack chains. The window of vulnerability is wide open — and the tools to exploit it are available to anyone with a GitHub account.

Enterprise security teams deploying AI agents, browser automation, or any tool that bridges AI systems and web browsers need to answer a direct question: if an attacker used PinchTab against your infrastructure tomorrow, would your security stack detect it?

For most organisations, the honest answer is no.

Helixar exists to change that answer.