Skip to content

The open-source puppeteer-extra-plugin-stealth alternative

The stealth plugin is the easiest way to bolt evasions onto Puppeteer — but every evasion is a JavaScript patch on a stock Chrome, and JS patches self-reveal. Clearcote sets those values natively in the engine, coherent across workers and iframes, and adds the TLS/HTTP-2 layer the plugin can't touch.

What is puppeteer-extra-plugin-stealth?

puppeteer-extra-plugin-stealth (by berstend, ~660k weekly npm downloads) is a bundle of JavaScript evasion modules injected via page.evaluateOnNewDocument before page scripts run — each patches a single tell (navigator.webdriver, plugins, chrome.runtime, WebGL vendor, iframe, codecs, and more). It's MIT-licensed, hugely popular, and passes the common public test pages.

The structural limit is that these are JS overrides on a stock engine, and JS overrides self-reveal: a patched function leaks via Function.prototype.toString, altered property descriptors, and cross-realm/worker/OOPIF re-reads where the patch isn't present. It doesn't change native values, doesn't touch TLS/JA3-JA4 or HTTP/2, and doesn't fix the Runtime.enable CDP leak. Its own README concedes it's 'probably impossible to prevent all ways to detect headless chromium', and it's been semi-maintained lately (roughly a year since an npm release), so evasions age faster than they're updated.

Clearcote vs puppeteer-extra-plugin-stealth

FeatureClearcotepuppeteer-extra-plugin-stealth
Approach Engine-level C++ patches — native values JS evasions injected per document
Detectable seam None — native in every realm (main, workers, iframes) Self-reveals via toString / descriptors / worker / OOPIF
TLS / network coherence Follows the claimed Chrome (JA3/JA4 + HTTP/2) None — stock automation network signature
Framework Playwright & Puppeteer (Python + Node) Puppeteer (Node)
Maintenance Actively maintained Semi-maintained (~1yr since release)
License Open & permissive MIT
Cost Free & open Free & open

Comparison compiled July 2026. puppeteer-extra-plugin-stealth is open source (mit); details change — check its project for the latest.

Why teams pick Clearcote

Native, not overridden

Every stealth-plugin evasion is a JS override a detector can catch. Clearcote sets the values in the engine, so they read as native — there's no override to find.

Coherent across realms

JS patches applied to the main frame diverge in Web Workers and cross-origin iframes. Engine-level values agree everywhere, closing that class of tell.

The network layer

The plugin has no access to TLS or HTTP/2. Clearcote's handshake follows the claimed Chrome version, so the wire matches the JavaScript.

Maintained and verified

Coherence is checked against open tests each release, rather than relying on a set of evasions that age between updates.

When puppeteer-extra-plugin-stealth might be the better pick

  • You already use Puppeteer and want a one-line evasion bundle for lenient targets.
  • You need something MIT-licensed to drop into an existing Node scraper.
  • For public test pages and older detection, it's quick and often good enough.

FAQ

Why do JavaScript stealth patches get detected?

Because they're overrides on a real function. A detector can stringify it (a native function reads [native code]; an override shows its own source), inspect the property descriptor, or re-read the value from a fresh iframe or Web Worker where the patch isn't applied. Engine-level changes avoid this by making the value native everywhere.

How is Clearcote different from the stealth plugin?

The plugin injects JS evasions into a stock Chrome; Clearcote is a modified Chromium where the values are native in the engine — coherent across workers and iframes — plus a TLS/HTTP-2 persona the plugin has no access to.

Is the stealth plugin still maintained?

It's semi-maintained — roughly a year since a release at the time of writing — and increasingly detected as evasions age. Check its repository for the current status.

Related reading

Q&AWhy does Function.toString() reveal a hooked function?Calling toString() on a native function returns “[native code]”; an override returns its own source instead — so detectors stringify APIs to catch JavaScript spoofs.Q&AHow is a headless browser detected?Detectors probe for headless tells: automation launch flags, missing or inconsistent browser APIs, software-render shortcuts, and behavior that differs from a windowed browser.ResearchCoherence over camouflage: why a plausible identity beats a hidden oneMost stealth tooling tries to hide. The signals that survive scrutiny don't hide — they agree with each other.CompareClearcote vs CamoufoxCamoufox is a well-built open-source anti-detect browser — on Firefox. Clearcote takes the same engine-level, open-source philosophy to a de-Googled Chromium, so your automation blends in with the ~65% of the web that runs Chrome.CompareClearcote vs CloakBrowserCloakBrowser is a capable engine-level stealth Chromium — but the patched binary is closed-source and the current engine sits behind a subscription. Clearcote takes the same engine-level approach fully in the open: readable patches, reproducible builds, and free on the current Chromium.CompareClearcote vs undetected-chromedriverundetected-chromedriver is a great zero-config way to hide the Selenium/ChromeDriver seam — but it drives a stock Chrome and never touches the network layer. Clearcote changes the fingerprint inside the engine and keeps the TLS/HTTP-2 stack coherent, so there's no seam to hide.

Try the open-source Chromium alternative

Free and open source, a drop-in for Playwright & Puppeteer, coherent down to the TLS handshake.