@fanboynz/network-scanner 3.0.1 → 3.0.3

package/.github/workflows/npm-publish.yml

@@ -162,7 +162,10 @@ jobs:
         uses: softprops/action-gh-release@v2
         with:
           tag_name: v${{ steps.version.outputs.version }}
-          name: v${{ steps.version.outputs.version }}
+          # Date suffix matches the convention used by the backfilled
+          # historical releases (v2.0.10..v2.0.66) so the Releases page
+          # shows the release date inline without a click-through.
+          name: v${{ steps.version.outputs.version }} (${{ steps.version.outputs.date }})
           body: ${{ inputs.release_notes_source == 'changelog' && steps.changelog_notes.outputs.notes || steps.manual_notes.outputs.notes }}
           draft: false
           prerelease: ${{ inputs.prerelease }}

package/CHANGELOG.md

@@ -2,6 +2,74 @@
 
 All notable changes to the Network Scanner (nwss.js) project.
 
+## [3.0.3] - 2026-05-26
+
+### Improved
+- **3 DataDome-targeted gaps closed in `lib/fingerprint.js`** (inside `applyFingerprintProtection`, so gated on `siteConfig.fingerprint_protection` like every other spoof in that function):
+  - **`Notification.permission` static property** now returns `'default'` (real Chrome's no-granted-permission state). Previously only `Notification.requestPermission()` (the method) was patched; the static property still returned the headless default `'denied'` — a live tell for DataDome and similar detectors that read it directly.
+  - **`screen.orientation` interface** is now provided as a stable `{type: 'landscape-primary', angle: 0, addEventListener, lock, unlock, ...}` object when missing. Modern browsers always expose ScreenOrientation; absence is a "real browser?" check signal.
+  - **`<html>` `webdriver` DOM attribute** stripped if present. Defensive — modern Puppeteer with `ignoreDefaultArgs: ['--enable-automation']` doesn't emit this, but older driver setups do, and detectors check both `navigator.webdriver` AND `documentElement.getAttribute('webdriver')`. Appended to the existing `'webdriver removal'` safeExecute block so all webdriver cleanup lives together.
+
+  Targeted at sites running DataDome's `ct.captcha-delivery.com/i.js` (and similar fingerprint suites: PerimeterX, Akamai Bot Manager). Most other surfaces these detectors probe were already covered (chrome.app/csi/loadTimes, userAgentData, maxTouchPoints, permissions.query, WebGL UNMASKED_VENDOR/RENDERER, etc.). `scripts/test-stealth.js sannysoft` regression smoke holds at 29 passed / 1 warn / 0 failed (the warn is `CHR_DEBUG_TOOLS`, a CDP-attached signal that's fundamental to Puppeteer and unrelated to these additions). JS-only spoofing can't address TLS fingerprint, HTTP/2 fingerprint, IP reputation, or behavioural analysis — those still depend on proxy choice and `interact` / `ghost-cursor` config.
+
+### Added
+- **`scripts/test-stealth.js` now reports warn-row labels** for sannysoft, not just failure-row labels. Previously a cell moving from `passed` → `warn` between runs was invisible (only the count changed), making soft-regression debugging require `--headful`. Now the warn-row table contents print inline so you can see e.g. `warn rows: CHR_DEBUG_TOOLS` directly. Schema additive: result object gains a `warnings: string[]` array alongside the existing `failures: string[]`.
+- **`scripts/test-stealth.js` extracts CreepJS's actual current metrics** instead of stale `Trust Score` regex that returned `n/a` for every field. New extracted fields: `fpId` (CreepJS's stable fingerprint hash, lets you A/B before/after a spoof change), `isChromium` (engine identification), `headlessPct` (HARD headless detection score, lower = better), `likeHeadlessPct` (SOFT headless signals), `stealthPct` (spoof-detection probes score, HIGHER = better since it means our spoofs LOOK convincing). Formatter prints all five with directionality hints inline. Excerpt now 40 lines / 2KB (was 15 / 400 bytes) so future UI rotations are debuggable from the output without `--headful`.
+- **Additional headless-mode spoofs in `lib/fingerprint.js`** (all inside `applyFingerprintProtection`, gated on `siteConfig.fingerprint_protection`):
+  - **`matchMedia` hover/pointer queries**: `(any-hover: hover)`, `(any-hover: none)`, `(any-pointer: fine)`, `(any-pointer: none)`, `(any-pointer: coarse)` plus the legacy non-`any-` aliases. Headless Chrome reports no hover device and no fine pointer (no mouse hardware); detectors probe these as a binary 'real desktop hardware?' signal. Pass-through for all other queries (responsive, color-scheme, reduced-motion, etc.).
+  - **`screenLeft` / `screenTop` mirror `screenX` / `screenY`**. Real Chrome exposes these as identical-value legacy aliases; spoofers often leave them undefined or 0, which is inconsistent with the non-zero `screenX/Y` our existing patch produces.
+  - **Modern Chrome API stubs**: `document.hasStorageAccess()` → `Promise<true>`, `navigator.userActivation` → `{hasBeenActive: true, isActive: true}`, `navigator.getInstalledRelatedApps()` → `Promise<[]>`. Each gated on absence check so real-Chrome paths skip the override.
+
+  Honest measurement: CreepJS's specific `headless score` did NOT move after these additions (stayed at 67%). My prior estimate of '~-10 to -15 percentage points' was over-optimistic — CreepJS apparently doesn't weight matchMedia hover/pointer heavily in its headless calculation. The additions are still correct spoofs that close real fingerprint gaps and likely help against DataDome / PerimeterX which use different scoring; they're net-positive but score-neutral against CreepJS specifically. The remaining ~67% headless detection is architectural (CDP attachment, software-rasterizer GPU, no real mouse cursor) and can't be lowered without `--headful`.
+
+### Security
+- **WebRTC public-IP leak closed** in `lib/fingerprint.js` (`applyFingerprintProtection`). The previous local-IP filter only stripped RFC1918 private ranges (`10.x / 172.16-31.x / 192.168.x`), missing `srflx` (STUN-discovered PUBLIC IP), `prflx`, `relay`, and host candidates with non-RFC1918 addresses (CGNAT 100.64.0.0/10, link-local IPv6, real public IPs on bare-metal hosts). STUN traffic is UDP and **bypasses the SOCKS5 proxy entirely**, so the leaked IP was the real host IP regardless of proxy config — visible to any page that listened on `icecandidate` events. Caught by `test-stealth.js creepjs` which surfaced the candidate string `122.252.155.250 typ srflx` and the corresponding `ip:` field in its WebRTC panel. Fix: strip EVERY ICE candidate; deliver only the null-candidate sentinel (end-of-gathering signal). Side note: the property-based `pc.onicecandidate = fn` setter was also broken (stored handler but never wired it up); now mirrors the same filter as the addEventListener path. Side effect: any site that REQUIRES functional WebRTC peer connections sees ICE gathering produce zero candidates. For nwss.js's scanning use case this is correct.
+
+### Stealth hardening (toString masking)
+- **Added 8 session-introduced spoofs to `Function.prototype.toString` bulk masking** (`matchMedia`, `hasStorageAccess`, `getInstalledRelatedApps`, `userActivation` getter, `Notification.permission` getter, `screen.orientation` getter, `screenLeft`/`screenTop` getters). Without this, each new spoof was detectable via `.toString()` returning the override source instead of `[native code]`.
+- **Masked per-instance WebRTC `onicecandidate` getter/setter + `addEventListener` wrap.** The bulk-mask block only runs once at injection; per-RTCPeerConnection closures created inside the factory weren't covered. A site doing `Object.getOwnPropertyDescriptor(pc, 'onicecandidate').get.toString()` could see the spoof.
+- **Spoofed `navigator.productSub` + `vendorSub`** (UA-aware: `'20030107'` for Chrome/Safari/etc., `'20100101'` for Firefox; `vendorSub` always `''`). Companion legacy properties to the already-spoofed `vendor`/`product`. Common bot-detection signal since anti-detection libraries often spoof UA but forget these. `vendor`/`product` getters also added to the maskAsNative list (pre-existing oversight folded in).
+
+### Fixed
+- **`validatePageForInjection`'s 1.5s race timer is now `unref`'d.** Last remaining Node-side `setTimeout` that wasn't unref'd; could hold the event loop alive for up to 1.5s past scan completion. All Node-side timers in `lib/fingerprint.js`, `lib/nettools.js`, and `lib/socks-relay.js` are now unref'd.
+
+### Performance
+- **Canvas noise application now cached per `HTMLCanvasElement`** via WeakMap. `toDataURL` and `toBlob` previously did a `getImageData` + `putImageData` round-trip on every call (~500k iterations for size-capped canvases) to bake noise into the export. Now the round-trip runs once per canvas; subsequent exports skip it (the canvas backing store still has the noised pixels from the first call). Trade-off: animated canvases that redraw between exports won't have new content re-noised — acceptable for the common fingerprinter pattern (single probe → single toDataURL).
+
+## [3.0.2] - 2026-05-25
+
+### Security
+- **Credentials redacted in `lib/proxy.js` 'Invalid proxy URL' warn** — `getProxyArgs` echoed the raw user-configured `proxyUrl` when parseProxyUrl returned null. For a URL like `socks5://user:pass@host:port` that fails parse (mistyped protocol, port out of range, etc.) this emitted the full credentials to stderr. Regex-strips the `user:pass@` segment (handles both scheme-prefixed and bare host:port forms) before logging. Same redaction policy as `getProxyInfo()` and the socks-relay logs already fixed in 3.0.1. The new port-range validation in this release expanded the trigger surface (one more parse-failure path) which made me find the leak.
+- **`applyProxyAuth` debug log redacted** — the `Auth set for USER@host:port` debug-only log line emitted the raw username. Now `[redacted]@host:port`. Same leak class as above, third site of the same kind.
+
+### Added
+- **`scripts/test-stealth.js --format=json`** (already shipped in 3.0.1, listed here only because the harness gained a real consumer via the next item) — `getRelayStats()` exposed from `lib/socks-relay.js`, returning `[{key, port, activeConnections, errors}]` per active relay (`key` with the username segment stripped for safety, IPv6-aware). Diagnostic surface for answering "is the proxy slow because the upstream is saturated or because the scan is opening too many parallel tunnels?" without enabling `forceDebug`.
+- **`delay_uncapped: true` site-config flag** — lifts the 2s post-networkidle delay cap; honors the configured `delay` up to half the per-URL timeout. Targets sites with setTimeout-deferred lazy ad/tracker loaders (weather.com / cbssports.com class) where late requests fire well past the standard window. Default behavior unchanged (still 2s) so fast sites stay fast.
+
+### Fixed
+- **Race: late-completing dig/whois validations were orphaned.** Per-URL async nettools handlers were scheduled via fire-and-forget `setImmediate(() => netToolsHandler(...))`; if the handler's full async chain (dig spawn + match check + addMatchedDomain) resolved AFTER the result snapshot ran, the addMatchedDomain call landed in a Set that was no longer referenced by any in-flight result. Most visible symptom: domains appearing in the end-of-scan "Fresh dig:" list with no corresponding rule in the output. Now tracked via `trackNetToolsHandler` (closure over per-URL `pendingNetTools[]`) and drained via `drainPendingNetTools()` with a 3s hard cap (`TIMEOUTS.NETTOOLS_DRAIN_TIMEOUT`), called BEFORE `formatRules` at all three snapshot sites (dry-run, success, partial-success/catch path). All three setImmediate call sites (popup observer, main request handler, secondary request handler) migrated.
+- **Race: scan-exit hang up to ~100s when a dig/whois lookup hung.** Four `setTimeout`s in `lib/nettools.js` (outer exec timer, overall 65s timer, whois progressive retry delay up to ~30s, whois server-switch delay ~8s) were not `unref`'d, so a genuinely-hung lookup that survived the new 3s drain could hold the Node event loop alive for the remainder. All four now `unref`'d with defensive `typeof timer.unref === 'function'` guards; the previously-unref'd inner SIGKILL tail-timer makes 5/5 setTimeout sites in the module now safe for scan-exit. Natural-completion paths still `clearTimeout` on resolution, so this only affects the hung-process case.
+- **`parseProxyUrl` accepted ports > 65535.** Now rejects ports outside 1-65535 at parse time, surfacing misconfiguration immediately instead of passing an invalid value to Chromium and getting an opaque downstream error.
+- **`@version 1.1.0` JSDoc** in `lib/proxy.js` was stale (const said `1.2.0`). Aligned to 1.2.0; the const + export then went away in the export trim — see Improved.
+- **Site-config `delay` field was a no-op.** `nwss.js` per-URL handler hardcoded `const delayMs = DEFAULT_DELAY` regardless of `siteConfig.delay`. Now reads `siteConfig.delay || DEFAULT_DELAY`. Visible only with the new `delay_uncapped: true` flag (without it, the configured value is still capped at 2s as before).
+- **"Something went wrong when opening your profile" popup in `--keep-open` headful mode.** `--disable-sync` was conditionally dropped when `--keep-open` was set, which let Chrome's sync subsystem initialise against our temp `userDataDir` (which has no real profile), error out, and pop a modal that blocked the page until dismissed. Three-flag fix: `--disable-sync` is now always-on (was the only one of five `--keep-open`-conditional flags actually causing user-visible breakage), plus `--allow-browser-signin=false` and `AccountConsistencyMirror,AccountConsistencyDice` appended to the existing `--disable-features=` list as defence in depth across Chromium's multiple account-subsystem entry points. The other four conditional-on-keep-open flags (`--disable-component-extensions-with-background-pages`, `--disable-component-update`, `--disable-background-networking`, `--disable-extensions`) stay conditional so user-loaded extensions and live inspection still work normally.
+- **Race: `socks-relay.ensureRelay` concurrent-init created orphan servers.** Two concurrent callers for the same upstream both passed the `_relays.get(key)` check, both created `net.Server` listeners, both raced to `_relays.set` — second overwrote first, first server was orphaned (listening forever, never closed by `closeAllRelays`). Not triggered by current usage (proxy.js's `prepareSocksRelays` uses a sequential await loop) but a latent bug for future parallel-init paths. Fix: singleflight via new `_pendingRelays` Map; second caller for an in-flight upstream rides the existing promise. Cleanup uses `.finally()` on the returned promise (not try/finally inside the IIFE) so a hypothetical sync-throw in the init body can't leave a permanent rejected entry in `_pendingRelays`. Mirrors the `pendingDigLookups`/`pendingWhoisLookups` pattern in `lib/nettools.js`.
+- **Race: handshake watchdog firing during upstream connect orphaned the upstream socket.** `HANDSHAKE_TIMEOUT_MS = 10000` vs `SocksClient.createConnection` timeout = `20000` left a 10-second window where the watchdog could fire mid-await, destroy the client, and set `settled = true`. When the upstream connect then resolved into a fresh socket, the subsequent `cleanup()` short-circuited via the settled guard, leaving an open TCP connection to the upstream that was never destroyed — held alive until OS-level timeout or remote close. Fix: disarm the watchdog at the `phase = 'connecting'` transition (client has completed its part of the handshake; `SocksClient`'s own 20s timeout covers the upstream connect), plus a defence-in-depth `if (settled) destroy + return` after `upstreamSock = info.socket` for any other path that could call cleanup before upstreamSock registers.
+- **Race: `closeAllRelays` didn't wait for in-flight `ensureRelay` inits.** A relay whose `listen()` completed AFTER `closeAllRelays` snapshotted `_relays` landed in `_relays` unowned by the close pass — leaked until next call or process exit. Pre-existing, more visible after `_pendingRelays` became a separate Map for the singleflight. Fix: `await Promise.allSettled(Array.from(_pendingRelays.values()))` at the head of `closeAllRelays` so the snapshot is guaranteed-complete. `allSettled` (not `all`) because rejected inits have already cleaned up their `_pendingRelays` entries via `.finally()`.
+
+### Improved
+- **socks-relay handshake buffer cap** (`MAX_HANDSHAKE_BYTES = 4096`) on pre-piping growth. Prior code absorbed arbitrary bytes for the full 10s handshake watchdog window, letting a hostile/buggy local process pin memory by drip-feeding garbage. Sends a protocol-appropriate failure reply per phase before closing.
+- **socks-relay TCP keep-alive on upstream socket** (`setKeepAlive(true, 60000)`). Catches silently-dead upstreams (NAT timeout, mobile-tower drop, proxy crash without FIN/RST) in ~12 minutes (60s idle + kernel-default 9 × 75s probes) instead of the Linux default ~2 hours. Comment is honest about the kernel-default probe math — `60000` is `TCP_KEEPIDLE` only, not the full detection time.
+- **socks-relay auth-misconfig warn** — `ensureRelay` warns once per unique upstream when `username && !password`, since RFC 1929 auth will almost certainly fail. Surfaces the misconfiguration at relay start instead of as opaque per-request failures inside `forceDebug`-gated logs.
+- **socks-relay `server.maxConnections = 256` cap** per relay. Sheds excess Chromium connections at the TCP-accept layer (where HTTP retry handles them cleanly) instead of letting all N tunnels open to the upstream and have the provider silently drop past-quota ones — which looks to the scan like random missed requests.
+- **socks-relay per-relay error counter** tracked in `relayEntry.errors`, bumped on `SocksClient.createConnection` failures, surfaced via `getRelayStats()` as the `errors` field. Lets a post-scan reader see "X of N upstream connects failed" without re-running with forceDebug.
+- **socks-relay graceful drain on `closeAllRelays`** — `DRAIN_TIMEOUT_MS = 2000` window via `Promise.race(closePromise, drainTimeout)` for in-flight tunnels to flush their last response bytes into Chromium / Puppeteer. Stragglers past 2s get force-destroyed (server.close callback then fires immediately). SIGINT mid-scan no longer amputates in-flight responses, but a hung tunnel can't block exit beyond 2s. Drain timer `unref`'d so it doesn't hold the event loop open when the close-promise wins the race.
+- **`lib/proxy.js` exports trimmed 12 → 8** — removed `getModuleInfo`, `PROXY_MODULE_VERSION`, `SUPPORTED_PROTOCOLS`, `getConfiguredProxy` (zero external callers in each case, grep-verified). Mirrors the same trim already done in `lib/cloudflare.js`. `SUPPORTED_PROTOCOLS` and `getConfiguredProxy` stay as module-local since they're used internally.
+- **`lib/proxy.js` code cleanup** — two `require('./socks-relay')` calls consolidated into one destructured import (with `closeAllRelays` renamed inline), `net` module require hoisted from `testProxy()` body to top of file, `applyProxyAuth` JSDoc enumerates the 5 distinct `false` return scenarios (caller treating false as "auth failed" would incorrectly retry on the SOCKS5 → relay handles it case).
+
+### CI
+- **GitHub Release names now include date suffix** (`v3.0.2 (YYYY-MM-DD)`), matching the convention used by the backfilled v2.0.10 through v2.0.66 releases. Auto-applied via the already-computed `steps.version.outputs.date` in `softprops/action-gh-release`.
+
 ## [3.0.1] - 2026-05-24
 
 ### Security

package/lib/fingerprint.js

@@ -248,7 +248,15 @@ async function validatePageForInjection(page, currentUrl, forceDebug) {
     }
     await Promise.race([
       page.evaluate(() => document.readyState || 'loading'),
-      new Promise((_, reject) => setTimeout(() => reject(new Error('Page evaluation timeout')), 1500))
+      new Promise((_, reject) => {
+        // unref so a still-pending race timer (page.evaluate won) doesn't
+        // hold the Node event loop alive for up to 1.5s past scan exit.
+        // Same pattern as the nettools timer unrefs in 83209d4 / 0c5d644;
+        // closes the last known node-side unref'd setTimeout in the
+        // fingerprint module.
+        const t = setTimeout(() => reject(new Error('Page evaluation timeout')), 1500);
+        if (typeof t.unref === 'function') t.unref();
+      })
     ]);
     return true;
   } catch (validationErr) {
@@ -506,6 +514,21 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
             configurable: true,
             enumerable: true
           });
+
+          // Belt-and-suspenders: some older Chromium-driver setups leave a
+          // `webdriver` attribute on the <html> element (different surface
+          // from navigator.webdriver). DataDome and similar detectors
+          // check both. Modern Puppeteer with ignoreDefaultArgs:
+          // ['--enable-automation'] (set in nwss.js's createBrowser) doesn't
+          // emit this attribute, so this is defensive against rare edge
+          // cases. documentElement should exist by evaluateOnNewDocument
+          // time; wrapped in optional-chaining + try/catch for the contexts
+          // where it doesn't.
+          try {
+            if (document?.documentElement?.hasAttribute('webdriver')) {
+              document.documentElement.removeAttribute('webdriver');
+            }
+          } catch (_) {}
         }, 'webdriver removal');
 
         // Remove automation properties
@@ -814,16 +837,27 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
         safeExecute(() => {
           let vendor = 'Google Inc.';
           let product = 'Gecko';
-          
+          // productSub is a legacy Mozilla-era property: '20030107' for
+          // every browser EXCEPT Firefox (which uses '20100101'). Real
+          // Chrome / Safari / etc. all report '20030107'. Real Firefox
+          // reports '20100101'. Common bot-detection signal because
+          // anti-detection libraries often spoof UA but forget this.
+          // vendorSub is always '' across all browsers (legacy/unused).
+          let productSub = '20030107';
+          const vendorSub = '';
+
           if (userAgent.includes('Firefox')) {
             vendor = '';
+            productSub = '20100101';
           } else if (userAgent.includes('Safari') && !userAgent.includes('Chrome')) {
             vendor = 'Apple Computer, Inc.';
           }
-          
+
           const vendorProps = {
             vendor: { get: () => vendor },
-            product: { get: () => product }
+            product: { get: () => product },
+            productSub: { get: () => productSub },
+            vendorSub: { get: () => vendorSub }
           };
           spoofNavigatorProperties(navigator, vendorProps);
         }, 'vendor/product spoofing');
@@ -1270,6 +1304,23 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           if (window.Notification && Notification.requestPermission) {
             Notification.requestPermission = () => Promise.resolve('default');
           }
+
+          // Notification.permission STATIC PROPERTY — distinct from the
+          // requestPermission() method patched above. DataDome and similar
+          // detectors read Notification.permission directly. Real Chrome
+          // with no granted permission returns 'default'; headless Chrome
+          // returns 'denied'. Without this override the prior block (which
+          // only patched the method) leaves the static property as a live
+          // headless tell. Wrapped in try/catch because some embedded
+          // contexts make Notification non-configurable.
+          if (window.Notification) {
+            try {
+              Object.defineProperty(Notification, 'permission', {
+                get: () => 'default',
+                configurable: true
+              });
+            } catch (_) {}
+          }
         }, 'permissions API spoofing');
 
         // Media Device Spoofing
@@ -1299,9 +1350,105 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
             const sY = Math.floor(Math.random() * 50) + 20;
             Object.defineProperty(window, 'screenX', { get: () => sX });
             Object.defineProperty(window, 'screenY', { get: () => sY });
+            // screenLeft / screenTop are the legacy IE-era aliases for
+            // screenX / screenY; real Chrome exposes them as identical
+            // values. Headless / spoofers often leave them undefined or 0,
+            // which is a tell since the screenX/Y patch above changed
+            // those values to be non-zero. Mirror them explicitly so the
+            // four properties stay consistent.
+            Object.defineProperty(window, 'screenLeft', { get: () => sX });
+            Object.defineProperty(window, 'screenTop', { get: () => sY });
           }
         }, 'window dimension spoofing');
 
+        // Modern Chrome API stubs — these APIs exist in real desktop
+        // Chrome but may be missing or wrong in headless. Detectors check
+        // presence + minimal shape as a 'real browser?' signal. Each one
+        // is wrapped individually so a failure on one doesn't break the
+        // others, and the existence checks let real-Chrome paths
+        // (where the property already exists with the right value) skip
+        // the override entirely.
+        safeExecute(() => {
+          // Document.hasStorageAccess() — Storage Access API. Real Chrome
+          // returns a Promise<boolean>; resolve with true to mimic the
+          // common 'storage already accessible (top-level context)' state.
+          if (document && typeof document.hasStorageAccess !== 'function') {
+            try {
+              Object.defineProperty(document, 'hasStorageAccess', {
+                value: () => Promise.resolve(true),
+                configurable: true,
+                writable: true
+              });
+            } catch (_) {}
+          }
+        }, 'document.hasStorageAccess stub');
+
+        safeExecute(() => {
+          // navigator.userActivation — UserActivation interface tracking
+          // whether the page has had a user gesture. Real Chrome exposes
+          // {hasBeenActive: bool, isActive: bool}. After interaction
+          // simulation (interact / ghost-cursor) both should be true; we
+          // default to true so a site checking before our synthetic
+          // gestures fire still sees a 'user activated' page.
+          if (navigator && !navigator.userActivation) {
+            try {
+              const userActivation = {
+                hasBeenActive: true,
+                isActive: true
+              };
+              Object.defineProperty(navigator, 'userActivation', {
+                get: () => userActivation,
+                configurable: true
+              });
+            } catch (_) {}
+          }
+        }, 'navigator.userActivation stub');
+
+        safeExecute(() => {
+          // navigator.getInstalledRelatedApps() — Chrome-specific API
+          // returning installed PWAs/native apps related to the current
+          // origin. Real Chrome has this as a function; absence is a tell
+          // for non-Chrome / headless. Return empty array (the common
+          // no-related-apps case) — same as a fresh real-Chrome profile.
+          if (navigator && typeof navigator.getInstalledRelatedApps !== 'function') {
+            try {
+              Object.defineProperty(navigator, 'getInstalledRelatedApps', {
+                value: () => Promise.resolve([]),
+                configurable: true,
+                writable: true
+              });
+            } catch (_) {}
+          }
+        }, 'navigator.getInstalledRelatedApps stub');
+
+        // screen.orientation — modern browsers expose a ScreenOrientation
+        // interface ({type, angle, addEventListener, lock, unlock, ...}).
+        // Missing entirely in some headless contexts; presence + shape are
+        // checked by DataDome and similar detectors as a "real browser"
+        // signal. The values below mirror real desktop Chrome's landscape
+        // primary orientation; lock()/unlock() match real-Chrome behaviour
+        // when no fullscreen element is active (lock rejects with
+        // NotSupportedError, unlock is a no-op). Object identity is stable
+        // (hoisted out of the getter) so reference-equality checks pass.
+        safeExecute(() => {
+          if (!window.screen.orientation) {
+            const orientation = {
+              type: 'landscape-primary',
+              angle: 0,
+              onchange: null,
+              addEventListener: () => {},
+              removeEventListener: () => {},
+              dispatchEvent: () => false,
+              lock: () => Promise.reject(new Error('NotSupportedError')),
+              unlock: () => {}
+            };
+            Object.defineProperty(window.screen, 'orientation', {
+              get: () => orientation,
+              configurable: true
+            });
+          }
+        }, 'screen.orientation spoofing');
+
         // navigator.connection — missing or incomplete in headless.
         // Object literal hoisted out of the getter so identity is stable
         // across reads. Real Chrome's NetworkInformation instance has
@@ -1447,50 +1594,143 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           }
         }, 'image loading obfuscation');
 
-        // CSS Media Query Spoofing
+        // CSS Media Query Spoofing — specifically the hardware-presence
+        // queries that distinguish a real desktop browser from headless.
+        //
+        // Headless Chrome reports NO hover device and NO fine pointer
+        // (there's no mouse hardware attached). matchMedia('(any-hover:
+        // hover)') returns matches=false in headless, matches=true in
+        // real desktop. CreepJS and DataDome both probe these queries
+        // explicitly as a hard binary 'is this real browser hardware?'
+        // signal — one of the biggest single contributors to CreepJS's
+        // headless-detection score.
         //
-        // CSS media query — pass through normally. Screen dimensions are already spoofed
-        // so matchMedia results will naturally reflect the spoofed values.
-        // No modification needed here.
+        // Pass-through for all OTHER queries (max-width, prefers-color-
+        // scheme, etc.) so legitimate responsive-design checks still work.
+        // Screen-dimension queries naturally reflect the already-spoofed
+        // screen.width/height — no extra handling needed for those.
+        safeExecute(() => {
+          if (typeof window.matchMedia !== 'function') return;
+          const origMatchMedia = window.matchMedia;
+          // Make a fake MediaQueryList that quacks like the real thing.
+          // Real Chrome's MediaQueryList implements EventTarget, so the
+          // listener methods need to exist as callable no-ops.
+          const fakeMql = (query, matches) => ({
+            matches,
+            media: query,
+            onchange: null,
+            addEventListener: () => {},
+            removeEventListener: () => {},
+            addListener: () => {},      // deprecated alias but still present in Chrome
+            removeListener: () => {},
+            dispatchEvent: () => false
+          });
+          window.matchMedia = function(query) {
+            const q = String(query || '').toLowerCase();
+            // Spoof to "yes, mouse + hover hardware present" — the real
+            // desktop answer. Match both `(any-hover: hover)` and the
+            // legacy `(hover: hover)`; same for pointer.
+            if (q.includes('any-hover: hover') || q.includes('hover: hover')) {
+              return fakeMql(query, true);
+            }
+            if (q.includes('any-hover: none') || q.includes('hover: none')) {
+              return fakeMql(query, false);
+            }
+            if (q.includes('any-pointer: fine') || q.includes('pointer: fine')) {
+              return fakeMql(query, true);
+            }
+            if (q.includes('any-pointer: none') || q.includes('pointer: none')) {
+              return fakeMql(query, false);
+            }
+            if (q.includes('any-pointer: coarse') || q.includes('pointer: coarse')) {
+              return fakeMql(query, false);  // desktop = no coarse touch pointer
+            }
+            // Anything else falls through to real matchMedia (responsive
+            // queries, color-scheme, reduced-motion, etc. all behave normally).
+            return origMatchMedia.call(this, query);
+          };
+        }, 'matchMedia hover/pointer spoofing');
 
         // Enhanced WebRTC Spoofing
         //
+        // Previously stripped only RFC1918 private IPs from ICE candidates,
+        // which leaked the STUN-discovered public IP (`typ srflx`) — visible
+        // in CreepJS's WebRTC section and trivially also probed by DataDome
+        // and other modern fingerprint suites. STUN traffic is UDP, so it
+        // bypasses the SOCKS5 proxy entirely, meaning the real host IP
+        // reaches the fingerprinter regardless of proxy config.
+        //
+        // Fix: strip EVERY ICE candidate (host / srflx / prflx / relay /
+        // mDNS). The scanner never needs functional WebRTC peer connections,
+        // so complete suppression is the right trade-off — the page sees
+        // ICE gathering complete with zero candidates, indistinguishable
+        // from a real browser with no usable network interfaces. The
+        // null-candidate sentinel (end-of-gathering signal) still fires so
+        // calling code that awaits ICE-complete doesn't hang.
         safeExecute(() => {
           if (window.RTCPeerConnection) {
             const OriginalRTC = window.RTCPeerConnection;
+            // Filter helper hoisted so both addEventListener and the
+            // property-handler paths apply identical filtering.
+            const stripCandidate = (event) => !event.candidate;
+
             window.RTCPeerConnection = function(...args) {
               const pc = new OriginalRTC(...args);
-              
-              // Intercept onicecandidate to strip local IP addresses
+
               const origAddEventListener = pc.addEventListener.bind(pc);
-              pc.addEventListener = function(type, listener, ...rest) {
+              // Named function (not anonymous) so maskAsNative gets a sensible
+              // 'addEventListener' name when reporting [native code]. The
+              // bulk-mask block at end of applyFingerprintProtection masks
+              // window-level functions ONCE; per-instance functions created
+              // inside this factory (one new closure per `new RTCPeerConnection()`)
+              // would slip through unmasked — detectable via
+              // pc.addEventListener.toString(). Mask each per-instance to
+              // close that.
+              const addEventListenerWrap = function(type, listener, ...rest) {
                 if (type === 'icecandidate') {
                   const wrappedListener = function(event) {
-                    if (event.candidate && event.candidate.candidate) {
-                      // Strip candidates containing local/private IPs
-                      const c = event.candidate.candidate;
-                      if (c.includes('.local') || /(?:10|172\.(?:1[6-9]|2\d|3[01])|192\.168)\./.test(c)) {
-                        return; // suppress local IP candidates
-                      }
-                    }
-                    listener.call(this, event);
+                    if (stripCandidate(event)) listener.call(this, event);
                   };
                   return origAddEventListener(type, wrappedListener, ...rest);
                 }
                 return origAddEventListener(type, listener, ...rest);
               };
-              
-              // Also intercept the property-based handler
-              let _onicecandidateHandler = null;
+              maskAsNative(addEventListenerWrap, 'addEventListener');
+              pc.addEventListener = addEventListenerWrap;
+
+              // Property-based handler. Previously this just stored the
+              // handler in a local variable and never wired it up — pages
+              // setting `pc.onicecandidate = fn` got NO events at all,
+              // detectable as a mismatch vs addEventListener (which DID
+              // fire). Now we forward the wrapped handler to the underlying
+              // setter so both paths behave identically: the page sees only
+              // the null-candidate sentinel. Both get/set extracted to named
+              // consts so maskAsNative can wrap them — without this, a probe
+              // doing `Object.getOwnPropertyDescriptor(pc, 'onicecandidate').get.toString()`
+              // would see the arrow-function source instead of [native code].
+              let _userHandler = null;
+              const getOnIceCandidate = function() { return _userHandler; };
+              const setOnIceCandidate = function(handler) {
+                _userHandler = handler;
+                // Use the prototype setter so we don't infinite-loop on
+                // our own defineProperty. The wrapped handler applies
+                // the same filter as addEventListener.
+                const proto = Object.getPrototypeOf(pc);
+                const desc = Object.getOwnPropertyDescriptor(proto, 'onicecandidate');
+                if (desc && desc.set) {
+                  desc.set.call(pc, typeof handler === 'function'
+                    ? function(event) { if (stripCandidate(event)) handler.call(this, event); }
+                    : handler);
+                }
+              };
+              maskAsNative(getOnIceCandidate, 'get onicecandidate');
+              maskAsNative(setOnIceCandidate, 'set onicecandidate');
               Object.defineProperty(pc, 'onicecandidate', {
-                get: () => _onicecandidateHandler,
-                set: (handler) => {
-                  _onicecandidateHandler = handler;
-                  // No-op — the addEventListener wrapper above handles filtering
-                },
+                get: getOnIceCandidate,
+                set: setOnIceCandidate,
                 configurable: true
               });
-              
+
               return pc;
             };
             Object.setPrototypeOf(window.RTCPeerConnection, OriginalRTC);
@@ -1635,29 +1875,46 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
             return imageData;
           };
 
-          const originalToDataURL = HTMLCanvasElement.prototype.toDataURL;
-          HTMLCanvasElement.prototype.toDataURL = function(...args) {
-            // Apply same deterministic noise by reading through spoofed getImageData
+          // Cache of canvases already noised in their current bytes. toDataURL
+          // and toBlob both do a getImageData + putImageData round-trip to
+          // bake noise into the canvas before the actual export. Each
+          // round-trip is O(width × height) -- ~2M iterations for a 1920x1080
+          // canvas, capped at 500k pixels via the size guard below.
+          //
+          // Repeated calls on the SAME canvas don't need re-noising: the
+          // first call already wrote noised pixel data into the canvas via
+          // putImageData. Skip the round-trip for subsequent calls; the
+          // canvas backing store still has the noised content. Trade-off:
+          // if a page redraws between calls (canvas.drawImage, fillRect,
+          // etc.), the new content won't be re-noised. Acceptable for the
+          // common fingerprinter pattern (draw probe content -> single
+          // toDataURL -> compare to known signature); pathological for
+          // animated canvases that re-toDataURL per frame. WeakMap so a
+          // GC'd canvas drops its noise-cache entry automatically.
+          const noisedCanvases = new WeakMap();
+
+          const applyCanvasNoise = function(canvas) {
+            if (noisedCanvases.has(canvas)) return;
             try {
-              const ctx = this.getContext('2d');
-              if (ctx && this.width > 0 && this.height > 0 && this.width * this.height < 500000) {
-                const imageData = ctx.getImageData(0, 0, this.width, this.height);
+              const ctx = canvas.getContext('2d');
+              if (ctx && canvas.width > 0 && canvas.height > 0 && canvas.width * canvas.height < 500000) {
+                const imageData = ctx.getImageData(0, 0, canvas.width, canvas.height);
                 ctx.putImageData(imageData, 0, 0);
+                noisedCanvases.set(canvas, true);
               }
             } catch (e) {} // WebGL or other context — skip
+          };
+
+          const originalToDataURL = HTMLCanvasElement.prototype.toDataURL;
+          HTMLCanvasElement.prototype.toDataURL = function(...args) {
+            applyCanvasNoise(this);
             return originalToDataURL.apply(this, args);
           };
 
           const originalToBlob = HTMLCanvasElement.prototype.toBlob;
           if (originalToBlob) {
             HTMLCanvasElement.prototype.toBlob = function(callback, ...args) {
-              try {
-                const ctx = this.getContext('2d');
-                if (ctx && this.width > 0 && this.height > 0 && this.width * this.height < 500000) {
-                  const imageData = ctx.getImageData(0, 0, this.width, this.height);
-                  ctx.putImageData(imageData, 0, 0);
-                }
-              } catch (e) {}
+              applyCanvasNoise(this);
               return originalToBlob.call(this, callback, ...args);
             };
           }
@@ -1856,10 +2113,17 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           if (typeof window.fetch === 'function') maskAsNative(window.fetch, 'fetch');
           if (typeof window.PointerEvent === 'function') maskAsNative(window.PointerEvent, 'PointerEvent');
           if (typeof console.debug === 'function') maskAsNative(console.debug, 'debug');
+          // Methods added in this session — same toString-tampering concern.
+          if (typeof window.matchMedia === 'function') maskAsNative(window.matchMedia, 'matchMedia');
+          if (typeof document.hasStorageAccess === 'function') maskAsNative(document.hasStorageAccess, 'hasStorageAccess');
+          if (typeof navigator.getInstalledRelatedApps === 'function') maskAsNative(navigator.getInstalledRelatedApps, 'getInstalledRelatedApps');
 
           // Mask property getters on navigator
+          // 'userActivation' added in this session; 'productSub'/'vendorSub'
+          // are this commit's additions alongside the existing vendor/product.
           const navProps = ['userAgentData', 'connection', 'pdfViewerEnabled', 'webdriver',
-                            'hardwareConcurrency', 'deviceMemory', 'platform', 'maxTouchPoints'];
+                            'hardwareConcurrency', 'deviceMemory', 'platform', 'maxTouchPoints',
+                            'userActivation', 'vendor', 'product', 'productSub', 'vendorSub'];
           navProps.forEach(prop => {
             // Check both instance and prototype (webdriver lives on prototype)
             const desc = Object.getOwnPropertyDescriptor(navigator, prop)
@@ -1867,8 +2131,18 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
             if (desc?.get) maskAsNative(desc.get, 'get ' + prop);
           });
 
-          // Mask window property getters
-          ['screenX', 'screenY', 'outerWidth', 'outerHeight'].forEach(prop => {
+          // Mask Notification.permission getter (static property, added this session).
+          if (typeof Notification !== 'undefined') {
+            const npDesc = Object.getOwnPropertyDescriptor(Notification, 'permission');
+            if (npDesc?.get) maskAsNative(npDesc.get, 'get permission');
+          }
+
+          // Mask screen.orientation getter (added this session).
+          const orientDesc = Object.getOwnPropertyDescriptor(window.screen, 'orientation');
+          if (orientDesc?.get) maskAsNative(orientDesc.get, 'get orientation');
+
+          // Mask window property getters — screenLeft/Top added this session.
+          ['screenX', 'screenY', 'screenLeft', 'screenTop', 'outerWidth', 'outerHeight'].forEach(prop => {
             const desc = Object.getOwnPropertyDescriptor(window, prop);
             if (desc?.get) maskAsNative(desc.get, 'get ' + prop);
           });

package/lib/nettools.js

@@ -418,6 +418,12 @@ function execFileWithTimeout(cmd, args, timeout = 10000) {
 
       reject(new Error(`Command timeout after ${timeout}ms: ${cmd} ${args.join(' ')}`));
     }, timeout);
+    // unref the outer timeout too — a hung dig/whois firing AFTER the
+    // per-URL drain (3s cap) already returned would otherwise hold the
+    // event loop alive for up to `timeout` (5-10s) on scan exit. The exec
+    // callback / 'error' handler still clear it via the existing
+    // clearTimeout, so this only matters for the genuinely-hung case.
+    if (typeof timer.unref === 'function') timer.unref();
 
     // Handle child process errors
     child.on('error', (err) => {
@@ -790,7 +796,17 @@ async function whoisLookupWithRetry(domain = '', timeout = 10000, whoisServer =
             console.log(formatLogMessage('debug', `${messageColors.highlight('[whois-retry]')} Adding ${actualDelay}ms progressive delay before retry ${retryCount + 1} (base: ${baseDelay}ms + extra: ${extraDelay}ms)...`));
           }
         }
-        await new Promise(resolve => setTimeout(resolve, actualDelay));
+        // unref the retry-delay timer so a pending backoff (up to ~30s on
+        // late attempts) can't hold the event loop alive past scan exit
+        // when the per-URL drain has already returned. If the process is
+        // still otherwise busy, the timer fires normally; if it's the only
+        // thing left, the process exits and the now-pointless retry result
+        // never lands. Same pattern as the execFile/overall timers
+        // unref'd in 83209d4.
+        await new Promise(resolve => {
+          const t = setTimeout(resolve, actualDelay);
+          if (typeof t.unref === 'function') t.unref();
+        });
       } else if (serverIndex > 0 && retryCount === 0 && whoisDelay > 0) {
         // Add delay before trying a new server (but not the very first server)
         if (debugMode) {
@@ -800,7 +816,11 @@ async function whoisLookupWithRetry(domain = '', timeout = 10000, whoisServer =
             console.log(formatLogMessage('debug', `${messageColors.highlight('[whois-retry]')} Adding ${whoisDelay}ms delay before trying new server...`));
           }
         }
-        await new Promise(resolve => setTimeout(resolve, whoisDelay));
+        // Same unref rationale as the retry-delay timer above.
+        await new Promise(resolve => {
+          const t = setTimeout(resolve, whoisDelay);
+          if (typeof t.unref === 'function') t.unref();
+        });
       } else if (debugMode && whoisDelay === 0) {
         // Log when delay is skipped due to whoisDelay being 0
         if (logFunc) {
@@ -1232,6 +1252,12 @@ function createNetToolsHandler(config) {
       })(),
       new Promise((_, reject) => {
         overallTimeoutId = setTimeout(() => reject(new Error('NetTools overall timeout')), 65000);
+        // unref so a still-pending overall timeout (handler returned via
+        // drain at 3s but the lookup is technically still in-flight) can't
+        // hold the event loop alive for the full 65s on scan exit. The
+        // finally on the inner promise still clearTimeouts on natural
+        // completion, so this only matters for the genuinely-hung case.
+        if (typeof overallTimeoutId.unref === 'function') overallTimeoutId.unref();
       })
     ]).catch(err => {
       if (forceDebug) {