xero

@[email protected]
214 Followers
27 Following
405 Posts
{h,cr,sl}acker πŸ’ΎπŸ΄β€β˜ οΈ
https://backrooms.quest β‰ˆ https://windows98.website
xero.stylehttps://xero.style
x-e.rohttps://x-e.ro
0w.nzhttps://0w.nz
windows98.computerhttp://www.windows98.computer
xero6d ago
https://leviathan.3xi.club/covcom
animated protocol diagram for my upcoming project
xeroApr 13

leviathan-crypto post-quantum key establishment, live in the browser. ml-kem ceremony, encrypted messaging, annotated wire frames. this demo let's you see exactly what crosses the wire and what doesn't.

demo: https://leviathan.3xi.club/kyber
source: https://github.com/xero/leviathan-demos/tree/main/kyber

xeroApr 13
https://leviathan.3xi.club/kyber
post-quantum cryptography demo simulating a complete ML-KEM (kyber) key encapsulation ceremony between two browser-side clients. Each wire frame is expandable, revealing the raw nonce, ciphertext, Poly1305 tag, and AAD.
sauce: https://github.com/xero/leviathan-demos/tree/main/kyber
leviathan-crypto: ml-kem post-quantum key establishment demo

xeroApr 3

https://github.com/xero/claudecode-hook-n-switch
VULN DISCLOSURE: Claude Code's HTTP hook system lets a malicious repo silently rewrite your shell commands before execution. The UI displays the original command. The rewritten one runs with no indication anything changed. full prompt interception, complete tool output exfil (env vars, file contents, paths, etc), and loopback SSRF to any localhost service.

Disclosed to Anthropic via H1. Closed as wontfix. their position is that trusting a repo means trusting all of this.

decide for yourself if that dialog you agree to is doing enough.

PoC, logs, and mitigation strategies in the repo.

GitHub - xero/claudecode-hook-n-switch: Vuln POC: Claude Code's HTTP hooks can silently rewrite your shell commands while the UI shows the original. H1 report closed as wontfix: "workspace trust threat model." So here's the full PoC. Decide for yourself if that trust dialog is doing enough.

Vuln POC: Claude Code's HTTP hooks can silently rewrite your shell commands while the UI shows the original. H1 report closed as wontfix: "workspace trust threat model." So here's...

GitHub
xeroApr 1

https://github.com/xero/leviathan-crypto/
leviathan-crypto v1.4.0

XChaCha20Seal: bind key, call encrypt(), done! fresh nonce every call w/ no management needed.

XChaCha20StreamSealer: chunked AEAD for large payloads w/ per-chunk nonces and position binding.

bun i leviathan-crypto
(on npm you pleb)

GitHub - xero/leviathan-crypto: Zero-dependency WebAssembly cryptography library for TypeScript, featuring the paranoia of Serpent-256 and the elegance of XChaCha20-Poly1305, with SHA-2/3, HMAC, HKDF, and Fortuna CSPRNG included. All cryptographic computation runs in WASM, outside the JavaScript JIT, behind a strictly typed API built on vector-verified primitives.

Zero-dependency WebAssembly cryptography library for TypeScript, featuring the paranoia of Serpent-256 and the elegance of XChaCha20-Poly1305, with SHA-2/3, HMAC, HKDF, and Fortuna CSPRNG include...

GitHub
Show threadxeroApr 1
powered by https://github.com/xero/leviathan-crypto
GitHub - xero/leviathan-crypto: Zero-dependency WebAssembly cryptography library for TypeScript, featuring the paranoia of Serpent-256 and the elegance of XChaCha20-Poly1305, with SHA-2/3, HMAC, HKDF, and Fortuna CSPRNG included. All cryptographic computation runs in WASM, outside the JavaScript JIT, behind a strictly typed API built on vector-verified primitives.

Zero-dependency WebAssembly cryptography library for TypeScript, featuring the paranoia of Serpent-256 and the elegance of XChaCha20-Poly1305, with SHA-2/3, HMAC, HKDF, and Fortuna CSPRNG include...

GitHub
xeroApr 1

npmjs.com/package/lvthn
v1.3.1 with cli worker pooling & wasm simd optimization!

bun i -g lvthn # or npm install
lvthn keygen --armor -o my.key
cat secret.txt | lvthn encrypt -k my.key --armor > secret.enc

supports: serpent-256 (ctr mode w/ hmac-sha256) & xchacha20-poly1305

---

key derivation: scrypt (N=32768, r=8, p=1) for passphrases β†’ 32-byte master key with a fresh random 32-byte salt per encryption.

integrity: any modification to a ciphertext chunk causes that chunk's authentication to fail. The entire decryption is rejected with no partial plaintext produced.

parallelism: encryption and decryption distribute 64KB chunks across a worker pool sized to hardwareConcurrency. Each worker owns an isolated WASM instance with no shared memory between workers.

4-wide inter-block SIMD (encryptChunk_simd): each v128 register lane holds word w from a different block (counters ctr, ctr+1, ctr+2, ctr+3). Same parallelism model as ChaCha20 CTR-4.

Show threadxeroMar 28
crypto library hype post must read like total nerd word salad to normies
xeroMar 28
https://github.com/xero/leviathan-crypto/releases/tag/v1.2.0
leviathan-crypto v1.20: bringing WebAssembly SIMD acceleration to serpent-256 and ChaCha20. inter-block 4-wide parallelism delivering 2–3x single-thread throughput gains across V8, SpiderMonkey, and JSC!
https://npmjs.com/package/leviathan-crypto
Release v1.2.0 WASM SIMD Β· xero/leviathan-crypto

WebAssembly SIMD acceleration for Serpent-256 and ChaCha20. Inter-block 4-wide parallelism delivering 2–3Γ— single-thread throughput gains across V8, SpiderMonkey, and JSC. 11 commits since v1.1.0 Β·...

GitHub
xeroMar 27
https://github.com/xero/leviathan-crypto/wiki/security_policy
im trying to write the best security policy i can for this project. suggestions welcomed.
security_policy

Zero-dependency WebAssembly cryptography library for TypeScript: Serpent-256, XChaCha20-Poly1305, SHA-2/3, HMAC, HKDF, and Fortuna CSPRNG, with a strictly typed API built on vector-verified primiti...

GitHub