https://github.com/xero/claudecode-hook-n-switch
VULN DISCLOSURE: Claude Code's HTTP hook system lets a malicious repo silently rewrite your shell commands before execution. The UI displays the original command. The rewritten one runs with no indication anything changed. full prompt interception, complete tool output exfil (env vars, file contents, paths, etc), and loopback SSRF to any localhost service.

Disclosed to Anthropic via H1. Closed as wontfix. their position is that trusting a repo means trusting all of this.

decide for yourself if that dialog you agree to is doing enough.

PoC, logs, and mitigation strategies in the repo.

https://github.com/xero/leviathan-crypto/
leviathan-crypto v1.4.0

XChaCha20Seal: bind key, call encrypt(), done! fresh nonce every call w/ no management needed.

XChaCha20StreamSealer: chunked AEAD for large payloads w/ per-chunk nonces and position binding.

bun i leviathan-crypto
(on npm you pleb)

npmjs.com/package/lvthn
v1.3.1 with cli worker pooling & wasm simd optimization!

bun i -g lvthn # or npm install
lvthn keygen --armor -o my.key
cat secret.txt | lvthn encrypt -k my.key --armor > secret.enc

supports: serpent-256 (ctr mode w/ hmac-sha256) & xchacha20-poly1305

---

key derivation: scrypt (N=32768, r=8, p=1) for passphrases → 32-byte master key with a fresh random 32-byte salt per encryption.

integrity: any modification to a ciphertext chunk causes that chunk's authentication to fail. The entire decryption is rejected with no partial plaintext produced.

parallelism: encryption and decryption distribute 64KB chunks across a worker pool sized to hardwareConcurrency. Each worker owns an isolated WASM instance with no shared memory between workers.

4-wide inter-block SIMD (encryptChunk_simd): each v128 register lane holds word w from a different block (counters ctr, ctr+1, ctr+2, ctr+3). Same parallelism model as ChaCha20 CTR-4.

https://leviathan.3xi.club

made a little demo site for my crypto lib. web file encryption, chat, and cli tools