A Chromium fork called CloakBrowser, released by New York-based CloakHQ in early 2026, has surpassed 9,200 GitHub stars this week after its latest update added a Windows x64 build and closed what CloakHQ describes as the last storage-based incognito detection vector — giving web-scraping engineers, QA teams, and security researchers a production-ready tool that passes every major bot-detection service without any additional configuration.
New Windows Build and 57-Patch Binary Raise the Stealth Ceiling
The April 28 release upgraded the Chromium base from version 145 to 146 and expanded the project's source-level patch count from 49 to 57. The update added native Linux ARM64 support for Raspberry Pi, ARM servers, and Docker on Apple Silicon, and normalized the StorageBuckets API quota — a storage-based signal that anti-bot vendors had used to distinguish headless browsers from real ones. The Windows x64 binary was simultaneously brought to parity with the Linux build, receiving the full 33-patch fingerprint suite.
Source-Level C++ Patches Evade Detection That Defeats JavaScript-Layer Tools
CloakBrowser bills itself as a drop-in replacement for Playwright's default browser, but its technical approach differs from prior stealth libraries. Tools such as playwright-stealth and undetected-chromedriver inject JavaScript or modify configuration flags at runtime — a layer that anti-bot vendors have studied and built countermeasures against. CloakBrowser instead applies its modifications as C++ patches directly to the Chromium source tree, compiling them into the binary before the browser ships. Because the patches exist below the JavaScript layer, heuristics designed to detect runtime injection do not apply.
Independent testing published in April 2026 by byteiota.com found that CloakBrowser scores 0.9 on reCAPTCHA v3 — nine times the 0.1 score returned by stock Playwright — and auto-resolves Cloudflare Turnstile challenges that Playwright fails entirely. FingerprintJS reports the session as a normal browser, and BrowserScan returns a "NORMAL (4/4)" result across all checks. The GitHub README confirms all tests were last verified against live detection services in April 2026 on Chromium 146.
Scraping Engineers and Red Teams Gain an Off-the-Shelf Option — For Now
For developers maintaining data-collection pipelines that regularly fail against Cloudflare, DataDome, or PerimeterX, CloakBrowser's API parity with Playwright means migration requires changing a single import statement. Early adopters report that existing test suites run without further changes once the binary is substituted. For red teams auditing their own platforms' detection logic, or accessibility engineers who need to simulate realistic browsing environments, the project replaces a patchwork of community plugins with a single maintained binary.
The project is also a cost-effective alternative to commercial anti-detect browsers. Competing services charge recurring fees: GoLogin starts at $10 per month for 50 profiles, Kameleo runs $59 to $149 per month, and Multilogin charges $29 to $199 per month. CloakBrowser's wrapper code is MIT-licensed and freely available; the compiled binary is distributed under a separate license that prohibits credential stuffing and account-creation abuse.
Automated Access to ToS-Protected Services Carries Real Legal Exposure
Anti-detection tooling capable of evading platform security controls at scale is a dual-use technology. CloakHQ's README acknowledges this directly: automating systems without authorization, credential stuffing, and account-creation abuse are expressly prohibited in the binary license. Deploying CloakBrowser against services whose terms of service prohibit automated access may create exposure under the Computer Fraud and Abuse Act in the United States and equivalent statutes in other jurisdictions, regardless of whether the technical barrier is bypassed successfully.
CloakHQ also notes in its FAQ that the arms race between automation tools and detection vendors is ongoing. Source-level patches are harder to fingerprint than configuration-level workarounds, but not impossible: the company says it monitors detection signals actively and pushes updates as vendors evolve their heuristics. The closest comparable project, Camoufox — which applies similar source-level patches to Firefox rather than Chromium — returned to active development in early 2026 but remains in unstable beta, according to CloakHQ.
Available on PyPI, npm, and Docker Hub
CloakBrowser installs via pip or npm; the approximately 200 MB binary downloads automatically on first launch. A Docker image (cloakhq/cloakbrowser) ships with the font packages required to pass canvas-based emoji checks used by Kasada and Akamai. CloakHQ also maintains a self-hosted browser profile manager — a free alternative to Multilogin and AdsPower — that lets teams assign unique fingerprints, proxies, and persistent sessions to individual browser profiles from a web interface. The full project is at github.com/CloakHQ/CloakBrowser.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
