Stealth Is Dead: The 2026 Anti-Bot Stack Has Caught Up
In February 2026, the maintainers of puppeteer-extra-stealth officially deprecated the package. DataDome, Akamai, and HUMAN/PerimeterX have caught up to flag-patching. The new stack is Patchright + Camoufox + residential mobile proxies.
In February 2026, the maintainers of puppeteer-extra-stealth — the most-used anti-detection plugin for headless Chromium scraping — officially deprecated the package. The maintainers’ note acknowledged that the underlying technique, patching Chromium flags to make a headless browser look like a real one, is no longer viable as a general bypass strategy. The detection vendors have caught up.
That deprecation is the cleanest possible signal that the anti-bot equilibrium has shifted. For most of the last seven years, the loop was: a new detection signal ships, the stealth-plugin ecosystem catches up, scrapers run again. The loop closed. The next bypass round will use different primitives entirely.
Here is what actually changed, what the new stack looks like, and what it means for actor publishers.
What the detection vendors did
Three detection vendors matter at the high-value end of the web: DataDome, Akamai Bot Manager, and HUMAN (formerly PerimeterX). Each has a meaningfully different detection philosophy, and the combined surface is what made stealth flag-patching obsolete.
DataDome built its detection around behavioral telemetry combined with TLS fingerprinting and per-customer ML models. The trust score it assigns to each request blends IP reputation, JS execution fingerprint, mouse and keyboard timing, and a per-tenant baseline. A scraper that passes the JS fingerprint check still fails the behavioral one because real users do not move mice in straight lines or click links instantly after page load. In 2025, DataDome added an LLM-crawler classification layer; AI-agent traffic in their data went from 2.6% to over 10% of verified bots between January and August 2025.
Akamai Bot Manager wins on TLS and HTTP/2 fingerprinting. JA4 and JA4H signatures, ALPN ordering, header-order entropy — Akamai catches the scrapers that DataDome misses on behavior, and DataDome catches the scrapers that Akamai misses on TLS. The vendor split means a scraper has to defeat two different detection philosophies on every request to a site that uses both, and many high-value sites do.
HUMAN / PerimeterX wins on device-graph correlation: a fingerprint that has appeared on too many distinct IP addresses in a short window is flagged regardless of whether each individual request looks clean. That cuts the value of fingerprint randomization, because the randomization itself becomes a signal once the device graph reconstructs the underlying campaign.
The combined effect: stealth flag-patching solves the JS-fingerprint problem in isolation, but it does not solve the behavioral, TLS, or device-graph problems. A 2026 stealth stack has to address all four, and the puppeteer-extra-stealth approach addressed only the first.
What the new stack looks like
The bypass stack that actually works in 2026 has converged across the open-source community on a small number of tools.
Patchright is a Playwright fork with the most aggressive baseline anti-detection patches. It ships with the browser-flag and CDP-leak fixes that puppeteer-extra-stealth used to provide, plus a longer list of newer signals.
Camoufox is a Firefox fork built specifically for stealth scraping, with native fingerprint randomization across hundreds of attributes, custom user-agent rotation, and a Python SDK. The Firefox base matters because Cloudflare’s February 2025 hardware-validation challenge targets a Chrome-specific bug; Firefox routes around it.
Residential mobile proxies with rotating ASN pools have replaced static residential proxies as the recommended IP source for high-value targets. The shift reflects the device-graph detection HUMAN deploys: rotating ASN reduces the correlation across requests in ways that rotating only IP within a single ASN does not.
CapSolver for Turnstile and DataDome slider — the solver economics are now public and budgetable. The cost per record on a Turnstile-protected target is roughly $0.0012 from CapSolver, before proxy or compute.
A scraper combining those four primitives can clear most Tier-1 anti-bot configurations in 2026. A scraper using only puppeteer-extra-stealth and a residential proxy cannot.
The bypass-cost squeeze on long-tail actors
The changes in the bypass stack have implications for both publishers and buyers.
For publishers running actors against Cloudflare, DataDome, or Akamai-protected targets: the actor base image needs updating. Actors that ship with vanilla Playwright + the deprecated stealth plugin will see their success rate degrade through 2026. Apify’s templates support custom Playwright builds, and the path is to migrate to Patchright or Camoufox as the runtime, with appropriate proxy configuration injected at the input level. Publishers who do not want to maintain the bypass stack themselves are increasingly routing through managed alternatives like Bright Data’s Scraping Browser, which bundles stealth, residential proxies, and CAPTCHA handling into one per-session cost.
For buyers evaluating actors: the published success rate matters more than ever. An actor that listed 95% success in 2024 against an Akamai-protected target may now run at 40% with no code changes, just because Akamai shipped a new detection layer. The Q1 2026 censuses on this site flag actors whose 30-day demand has flatlined — that is often the signal that detection caught up and the actor is no longer cleared.
The structural read is that the cost of operating a high-quality scraper is going up. Patchright + Camoufox + residential mobile proxies + CapSolver is more expensive per record than the 2023 baseline of vanilla Playwright + datacenter proxies + reCAPTCHA solver. That cost has to either come out of margin (squeezing the long-tail “spray” publishers identified in the Q1 censuses) or get passed through to per-event pricing (which will further widen the gap between leader actors and the long tail).
What does not change
Two things to be precise about.
First, the Bright Data v. Meta ruling on logged-out scraping is unaffected. The legal predicate for resale of public data scraped from logged-out sessions still holds. The detection improvements are technical, not contractual.
Second, pay-per-crawl is the long-term equilibrium, not a stealthier scraper. Cloudflare’s pricing toggle re-frames the entire problem from “can we evade detection” to “what does the publisher charge per page”. Every dollar invested in stealth tooling that becomes obsolete in twelve months is a dollar that could have been invested in negotiating per-page rates with publishers. Some scraping operations are starting to do exactly that. Most are not yet.
The deprecation of puppeteer-extra-stealth is a small event in itself. What it signals is large: the bypass arms race has entered a phase where the detection side has the structural advantage, and the bypass-only strategy has a visible expiration date. The publishers who adapt early — to a new bypass stack, to pay-per-crawl economics, or to higher-quality target selection — will be the ones who keep their actors viable through the next eighteen months.
Sources