Mochi.js is a Bun-native browser automation framework that bypasses anti-bot defenses by using raw Chrome DevTools Protocol (CDP) against stock Chromium, rather than relying on cosmetic client-side probes. It targets the actual heuristics used by CAPTCHAs and web application firewalls (WAFs), aiming for consistency with regular traffic rather than mimicry.
Overview
Mochi.js (MIT license, available at https://github.com/0xchasercat/mochi) is designed for programmatic browser use where existing tools like Playwright and Puppeteer leave detectable fingerprints. The framework operates purely from the JavaScript layer, using stock Chromium — not a forked browser — which the author claims can outperform forked browsers in some cases by avoiding the need to lie about browser identity.
The framework is built on a probe manifest derived from analyzing multiple WAFs, covering the detection surfaces that actually matter for anti-automation systems. It requires Bun ≥ 1.1 and runs on macOS, Linux, and Windows.
Five pillars
Mochi.js organizes its anti-detection strategy into five areas:
- Relational consistency engine: Every fingerprint surface (canvas, WebGL, audio, fonts, MediaDevices, WebGPU) derives from a single (profile, seed) pair through a 48-rule directed acyclic graph (DAG). This prevents mismatches like a Mac user agent appearing next to Linux WebGL data.
- Chromium-native fetch:
session.fetch()routes through Chromium itself via CDP —Network.loadNetworkResourcefor simple GETs,page.evaluate('fetch')for non-GET requests. This means JA4/JA3/JA3 hashes and HTTP/2 fingerprints are real Chrome by definition, with no parallel HTTP layer to keep in sync. - Behavioral synthesis:
humanClick,humanType, andhumanScrollsynthesize from biomechanical models — Bezier paths with overshoot and correction, Fitts-law movement times, and lognormal digraph delays. These are parameterized by profile settings for hand, tremor, wpm, and scroll style. - Probe-Manifest harness: Captured baselines from real devices live in the repository. Every pull request diffs the live session's probe manifest against the baseline; zero-diff is a CI gate. Intentional divergences require a written rationale.
- One coherent stack: Replaces the typical hand-stitched pipeline (Patchright + fingerprint-injector + Turnstile clicker + curl-impersonate) with a single library that owns the entire automation end-to-end. Bun-only — no Node, no Python sidecars, no proprietary components.
Three-line stealth
The framework uses Playwright-like syntax. A basic session launches in three lines:
import { mochi } from "@mochi.js/core";
const session = await mochi.launch({
profile: "linux-chrome-stable",
seed: "user-12345",
});
const page = await session.newPage();
await page.goto("https://target.example/checkout");
console.log("UA:", session.profile.userAgent);
await session.close();
The profile and seed parameters produce a relationally coherent fingerprint that survives a getParameter(0x9245) probe — a known WebGL fingerprinting test.
Tradeoffs
Mochi.js is Bun-only, which limits its use in Node.js or Python environments. It also requires stock Chromium — no forked browsers are supported. The framework is relatively new (the repository shows early-stage development), and its probe manifest coverage depends on the WAFs analyzed so far. Users should verify compatibility with their target sites.
Bottom line
Mochi.js offers a focused alternative to existing browser automation frameworks for developers who need to bypass modern anti-bot defenses without relying on browser forks or extensive client-side patching. Its probe-manifest approach and raw-CDP design are worth evaluating if you're hitting WAF or CAPTCHA issues with Playwright or Puppeteer.