https://github.com/mthcht/traceglyph

Browser Extension - TraceGlyph analyzes websites in real-time to detect browser fingerprinting (40+ API hooks), phishing indicators (47 rules), hidden tracking pixels (35+ networks decoded), and network anomalies, extract IOCs and more... https://chromewebstore.google.com/detail/traceglyph-by-mthcht/kigmpggalbjkdhcejfllcnjnpccoaebh
https://github.com/mthcht/traceglyph

browser extension-chrome extension-edge fingerprint-scanner iocs phishing-detection tracker-blocker

Last synced: about 7 hours ago
JSON representation

Browser Extension - TraceGlyph analyzes websites in real-time to detect browser fingerprinting (40+ API hooks), phishing indicators (47 rules), hidden tracking pixels (35+ networks decoded), and network anomalies, extract IOCs and more... https://chromewebstore.google.com/detail/traceglyph-by-mthcht/kigmpggalbjkdhcejfllcnjnpccoaebh

• Host: GitHub
• URL: https://github.com/mthcht/traceglyph
• Owner: mthcht
• Created: 2026-04-05T21:52:09.000Z (2 months ago)
• Default Branch: main
• Last Pushed: 2026-05-10T21:18:50.000Z (about 1 month ago)
• Last Synced: 2026-05-10T23:26:10.191Z (about 1 month ago)
• Topics: browser, extension-chrome, extension-edge, fingerprint-scanner, iocs, phishing-detection, tracker-blocker
• Language: JavaScript
• Homepage:
• Size: 180 KB
• Stars: 2
• Watchers: 0
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Funding: .github/FUNDING.yml

Awesome Lists containing this project

README

          
# TraceGlyph

  

    

      

    

    

      Website security analyzer

    

  

TraceGlyph is a free, open-source Chrome/Edge/Brave extension that performs real-time security analysis on every website you visit. It detects browser fingerprinting, identifies phishing indicators, spots JavaScript obfuscation, audits security headers, maps findings to MITRE ATT&CK techniques, and exports IOCs - all without sending any data externally.

> Think of it as urlscan.io + Wappalyzer + a fingerprint detector, running live in your browser.













## Features

### Fingerprint Detection - 50+ API hooks

Intercepts Canvas, WebGL, WebGPU, Audio (buffer reads + AnalyserNode), Font (measureText + CSS offset probing), WebRTC (including webkit prefix), Battery, Media Devices, Screen, Navigator (25+ properties), Client Hints (getHighEntropyValues), Geolocation, Speech Synthesis, Gamepad, behavioral biometrics (mouse/keyboard/scroll), and incognito mode probing. Ghost and spoof modes use domain-seeded deterministic noise and internally-consistent device profiles.

### Phishing Analysis - 47 detection rules

Credential harvesting forms (cross-origin, mailto, orphan password fields), brand impersonation (30+ tracked brands), anti-analysis evasion (DevTools blocking, debugger traps, console.clear), social engineering urgency detection (19 phrases), exfiltration channels (Telegram bots, Discord webhooks), and suspicious page structure (overlay login, hidden iframes, minimal pages).

### JS Obfuscation Detection - 12 patterns

Eval packers, Base64+XOR combos (Whisper 2FA / BlackForce signatures), hex/unicode encoding, string array rotation (obfuscator.io), `document.write(unescape())`, Function constructor abuse, cache-busting hash filenames.

### Network Intelligence

All domains with resolved IPs, redirect chains, 60+ tracker signatures, HTTP/HTTPS stats, resource type breakdown, page timing (DNS, TLS, TTFB, DOM loaded), and network anomaly detection (unusual ports, POST to raw IP, suspicious file extensions, base64 URL params).

### Security Audit

12+ HTTP security headers, cookie flags, form risk assessment, iframe analysis.

### Technology Detection - 120+ technologies

Wappalyzer-class detection via DOM selectors + window globals + URL/header pattern matching across 25+ categories.

### MITRE ATT&CK Mapping

Every detection category maps to technique IDs: T1082, T1566, T1059.007, T1496, T1115, T1027, T1041, T1036, and 20+ more.

### IOC Export

One-click export of domains, IPs, domain→IP map, redirect chains, trackers, script hashes, network anomalies, and critical detections. Structured DFIR report with ATT&CK IDs.

## Install

### From Chrome Web Store

https://chromewebstore.google.com/detail/traceglyph-by-mthcht/kigmpggalbjkdhcejfllcnjnpccoaebh

### From source

```bash

git clone https://github.com/mthcht/traceglyph.git

```

1. Open `chrome://extensions` (or `edge://extensions`)

2. Enable "Developer mode"

3. Click "Load unpacked" and select the cloned folder

4. Pin the extension via the puzzle icon

## Architecture

| File | Lines | Purpose |

|------|-------|---------|

| `manifest.json` | 47 | MV3 manifest |

| `background.js` | 198 | Service worker: network monitoring, IP resolution, scoring, tech detection |

| `content.js` | 620 | DOM analysis: phishing indicators, obfuscation, forms, links, timing |

| `injected.js` | 758 | Page-context API hooks: 40+ fingerprint vectors, self-filtering |

| `tech-detect.js` | 76 | Window globals detection + JS globals enumeration (CSP-safe) |

| `popup/popup.html` | 193 | Dashboard UI with light/dark theme |

| `popup/popup.js` | 66 | Dashboard logic, rendering, theme toggle, export |

| `welcome.html` | 167 | Install page with full capabilities documentation |

## Self-Filtering

The extension excludes its own activity from analysis:

- `isSelfTriggered()` checks call stack - drops detections from extension frames

- Network listeners skip all `chrome-extension://` URLs

- DOM observer ignores extension-origin script nodes

- fetch/XHR hooks skip extension URLs

## Scoring

| Category | Max | Signals |

|----------|-----|---------|

| Fingerprinting | 35 | Canvas, WebGL, Audio, Font, WebRTC, Battery - bonus at 3+ types |

| Tracking | 20 | Known trackers, tracking pixels, session replay |

| Behavior | 20 | eval, exfiltration, WebSocket, cryptomining, clipboard |

| Phishing | 15 | Phishing indicators, JS obfuscation, suspicious URLs |

| Security | 12 | Missing CSP/HSTS, weak headers, tech disclosure |

| Infrastructure | 10 | Suspicious TLDs, DGA domains, excess redirects |

| Anomalies | 8 | Network anomalies |

| Forms | 10 | Critical-risk forms, hidden cross-origin iframes |

| Cookies | 3 | Tracking cookies |

## Privacy

- Everything runs locally - zero external data transmission

- No analytics, no telemetry, no cloud processing

- Open source for full code audit

- `` permission used solely for webRequest monitoring

## License

MIT

## Author

[mthcht](https://github.com/mthcht)

## Ghost & Spoof Modes

TraceGlyph includes two active protection modes, toggled per-site or globally from the popup header:

### 👻 Ghost Mode - Block fingerprinting

Returns generic/default values. Sites see a standard browser profile instead of your real one. Canvas and audio use domain-seeded deterministic noise instead of blank/zeroed values (blank responses are more fingerprintable than common-looking hashes).

| API | Ghost returns |

|-----|-------------|

| Navigator | Win32, Google Inc., en-US, 4 cores, 8GB RAM, no plugins |

| Client Hints | Generic x86/Windows/Chrome 124 profile |

| Canvas | Domain-seeded deterministic noise (stable across visits) |

| WebGL | Generic "WebKit WebGL", strips debug_renderer_info |

| WebGPU | null adapter (no GPU info) |

| Screen | 1920×1080, 24-bit, 1x pixel ratio |

| CSS media queries | All fingerprint queries → false |

| Audio | Nodes created, buffer reads get deterministic noise |

| Font | Constant metrics for measureText + CSS offset probing |

| WebRTC | Completely blocked (incl. webkit prefix) - dummy object, no IP leaks |

| Battery | Fake full battery (100%, charging) |

| Timezone | UTC (offset 0) |

| Incognito probe | Large quota (appears non-incognito) |

### 🎭 Spoof Mode - Randomize fingerprinting

Returns realistic fake values from curated, internally-consistent device profiles. Values are domain-seeded (FNV-1a hash of hostname) so the same site always sees the same fingerprint across page loads.

| API | Spoof behavior |

|-----|---------------|

| Navigator | Consistent profile (platform + UA + GPU + cores all match) |

| Client Hints | Architecture/platform coherent with active profile |

| Canvas | Domain-seeded deterministic noise pixels |

| WebGL | GPU renderer matching active profile |

| Screen | Resolution + pixel ratio from active profile |

| Audio | Buffer reads get deterministic noise |

| CSS media queries | Randomized true/false |

| Timezone | Random from 10 real timezones |

| Media devices | Randomized device count |

## Page IOC Extractor

Automatically extracts IOCs from visible page text - ideal for analysts reading threat reports, advisories, and blog posts.

| IOC Type | Pattern |

|----------|---------|

| IPv4 | Standard + defanged `[.]` notation |

| IPv6 | Standard notation |

| Domains | Standard + defanged `[dot]` notation |

| URLs | Standard + `hxxp`/`hxxps` defanged |

| SHA-256 | 64-char hex strings |

| SHA-1 | 40-char hex strings |

| MD5 | 32-char hex strings |

| CVE IDs | `CVE-YYYY-NNNNN` |

| MITRE ATT&CK | `T1xxx`, `T1xxx.xxx` |

| Emails | Standard + `[at]` defanged |

| Files | `.exe`, `.dll`, `.ps1`, `.bat`, `.vbs`, `.hta`, `.jar`, etc. |

| Registry | `HKLM\`, `HKCU\`, etc. |

| Bitcoin | P2PKH, P2SH, bech32 addresses |

| Ethereum | `0x` + 40 hex chars |

Features: auto-refanging, deduplication, private IP filtering, hash hierarchy dedup, one-click copy per category, included in Copy Report.

## Tracking Pixel Decoder

Automatically detects hidden tracking pixels and beacons in the DOM, decodes their URL parameters, and reveals exactly what data each pixel transmits about you.

**Detection:** Finds 1x1 images, zero-size images, `display:none`/`visibility:hidden`/`opacity:0` images, and prefetch/preload pixel-like resources.

**35+ identified tracking networks:**

Meta Pixel, Google Analytics, Google Ads, DoubleClick, Google Tag Manager, Microsoft Ads, Microsoft Clarity, LinkedIn Insight, X/Twitter Analytics, TikTok Pixel, Pinterest Tag, Snapchat Pixel, WordPress Stats, Yandex Metrica, Comscore, Quantcast, Matomo, Hotjar, Mouseflow, FullStory, LogRocket, Segment, Mixpanel, Amplitude, Heap, Plausible, PostHog, Sentry, HubSpot, Salesforce Pardot, Marketo, Xandr/AppNexus, Criteo, Taboola, Outbrain, Adobe Analytics, New Relic.

**9 data categories classified:**

| Category | Example parameters |

|----------|-------------------|

| User ID | `uid`, `cid`, `_ga`, `fpid`, `visitorid` |

| Session | `sid`, `session`, `token`, `nonce` |

| Page info | `url`, `referrer`, `utm_source`, `utm_campaign` |

| Device | `ua`, `browser`, `screen`, `viewport`, `lang` |

| Timing | `timestamp`, `ttfb`, `load`, `duration` |

| Tracking events | `event`, `action`, `category`, `hit`, `ec`, `ea` |

| Geolocation | `country`, `region`, `city`, `timezone` |

| Revenue | `revenue`, `price`, `order`, `product`, `sku` |

| Consent | `consent`, `gdpr`, `ccpa`, `dnt` |

Each decoded pixel is shown in the Network tab with the tracker name, all decoded parameters, and highlighted data type categories. Included in Copy Report output.