#Tag · bonfire.cafe

https://github.com/datapartyjs/walk-without-rhythm

@nullagent@partyon.xyz · 2 weeks ago

Just finished writing another tool, now I can see NINE known compromised packages are still up for download on NPM! ⚠️

This tool crawls the list of known bad packages and downloads the latest bundle.

It then runs my other checks against the downloaded bundle and logs the results.

#WalkWithoutRhythm #Sha1Hulud #NPM #GitHub #Microsoft #nodejs #javascript #cybersecurity #devlog #bash

./is-npm-still-dangerous
Reads the data/infected-pkgs.txt
Downloads the latest package metadata for every known infected package
Downloads the current latest package.tgz
Uncompresses and scans the latest version using ./check-projects
Depending upon the scan result
./is-npm-still-dangerous

capacitor-voice-recorder-wav 6.0.3 - STILL COMPROMISED
haufe-axera-api-client 0.0.2 - STILL COMPROMISED
hyper-fullfacing 1.0.3 - STILL COMPROMISED
@ifelsedeveloper/protocol-contracts-svm-idl 0.1.2 - STILL COMPROMISED
my-saeed-lib 0.1.1 - STILL COMPROMISED
quickswap-ads-list 1.0.33 - STILL COMPROMISED
@seung-ju/react-native-action-sheet 0.2.1 - STILL COMPROMISED
tcsp 2.0.2 - STILL COMPROMISED
web-types-lit 0.1.1 - STILL COMPROMISED
web-types-lit 0.1.1 - STILL COMPROMISED
Found 9 npm-reports/npm-latest-bad.txt packages STILL compromised!

See npm-reports/npm-latest-bad.txt for full listing.
Warning - Most people probably don't need to run this. It causes a lot of NPM traffic. Warning - There's a few packages this fails to download and check (likely bc's they are hosted outside of NPMjs.org) — ./is-npm-still-dangerous Reads the data/infected-pkgs.txt Downloads the latest package metadata for every known infected package Downloads the current latest package.tgz Uncompresses and scans the latest version using ./check-projects Depending upon the scan result ./is-npm-still-dangerous capacitor-voice-recorder-wav 6.0.3 - STILL COMPROMISED haufe-axera-api-client 0.0.2 - STILL COMPROMISED hyper-fullfacing 1.0.3 - STILL COMPROMISED @ifelsedeveloper/protocol-contracts-svm-idl 0.1.2 - STILL COMPROMISED my-saeed-lib 0.1.1 - STILL COMPROMISED quickswap-ads-list 1.0.33 - STILL COMPROMISED @seung-ju/react-native-action-sheet 0.2.1 - STILL COMPROMISED tcsp 2.0.2 - STILL COMPROMISED web-types-lit 0.1.1 - STILL COMPROMISED web-types-lit 0.1.1 - STILL COMPROMISED Found 9 npm-reports/npm-latest-bad.txt packages STILL compromised! See npm-reports/npm-latest-bad.txt for full listing. Warning - Most people probably don't need to run this. It causes a lot of NPM traffic. Warning - There's a few packages this fails to download and check (likely bc's they are hosted outside of NPMjs.org)

https://github.com/datapartyjs/walk-without-rhythm?tab=readme-ov-file#similar-sha1-hulud-112425-detection-tools

@nullagent@partyon.xyz · 2 weeks ago

Updated my listing of Sha1-Hulud detection tools.

I now have found at least 12 other tools for detecting Sha1-Hulud compromise on your dev box and in infrastructure.

#WalkWithoutRhythm #Sha1Hulud #npm #github #nodejs #javascript #cybersecurity #devops

Similar Sha1-Hulud 11/24/25 Detection Tools
Links to other projects provided with no warranty express or implied.

https://github.com/TimothyMeadows/sha1hulud-scanner
https://github.com/mottibec/sha1hulud-scanner
https://github.com/gensecaihq/Shai-Hulud-2.0-Detector
https://github.com/tprinty/sha1hulud-action-detector
https://github.com/da1z/amihulud
https://github.com/bobberg/sha1-hulud-folder-checker
https://github.com/servusdei2018/sha1-halud-scan
https://github.com/kevcooper/fremkit
https://github.com/ysskrishna/shai-hulud-detector
https://github.com/Cobenian/shai-hulud-detect
GitHub Scanners
https://github.com/ysskrishna/shai-hulud-detector
panther-labs/panther-analysis#1826 — Similar Sha1-Hulud 11/24/25 Detection Tools Links to other projects provided with no warranty express or implied. https://github.com/TimothyMeadows/sha1hulud-scanner https://github.com/mottibec/sha1hulud-scanner https://github.com/gensecaihq/Shai-Hulud-2.0-Detector https://github.com/tprinty/sha1hulud-action-detector https://github.com/da1z/amihulud https://github.com/bobberg/sha1-hulud-folder-checker https://github.com/servusdei2018/sha1-halud-scan https://github.com/kevcooper/fremkit https://github.com/ysskrishna/shai-hulud-detector https://github.com/Cobenian/shai-hulud-detect GitHub Scanners https://github.com/ysskrishna/shai-hulud-detector panther-labs/panther-analysis#1826

https://github.com/datapartyjs/walk-without-rhythm

@nullagent@partyon.xyz replied · 2 weeks ago

Just finished writing another tool, now I can see NINE known compromised packages are still up for download on NPM! ⚠️

This tool crawls the list of known bad packages and downloads the latest bundle.

It then runs my other checks against the downloaded bundle and logs the results.

#WalkWithoutRhythm #Sha1Hulud #NPM #GitHub #Microsoft #nodejs #javascript #cybersecurity #devlog #bash

d@nny disc@ mc² boosted

@lritter@mastodon.gamedev.place · 3 weeks ago

the first test succeeds, but i have early typechecking in the parser that needs to be put into a second pass.

too late for that today, more tomorrow.

*** execution plan:
test_inline.lrdl:11:1: case
| then a 67:f32
| then a 68:f32
| then a 69:f32
| then a 70:f32
| then a 71:f32
set a f32
test_inline.lrdl:13:1: case
| a x%0
| merge
| | test_inline.lrdl:5:1: case
| | | sub_f32_f32 x%0 69:f32 %1
| | | div_f32_f32 %1 12:f32 %2
| | | powf 2:f32 %2 %3
| | | mul_f32_f32 440:f32 %3 %4
| then z %4
set z f32

*** z
391.995
415.305
440
466.164
493.883 — *** execution plan: test_inline.lrdl:11:1: case | then a 67:f32 | then a 68:f32 | then a 69:f32 | then a 70:f32 | then a 71:f32 set a f32 test_inline.lrdl:13:1: case | a x%0 | merge | | test_inline.lrdl:5:1: case | | | sub_f32_f32 x%0 69:f32 %1 | | | div_f32_f32 %1 12:f32 %2 | | | powf 2:f32 %2 %3 | | | mul_f32_f32 440:f32 %3 %4 | then z %4 set z f32 *** z 391.995 415.305 440 466.164 493.883

extern powf f32 f32 -> f32

inline mtof f32 f32
case
then mtof m (mul 440.0 (powf 2.0 (div (sub m 69.0) 12.0)))

set a f32
set z f32

then a :: 67.0 68.0 69.0 70.0 71.0

case
a x
then z (mtof x)

dump z — extern powf f32 f32 -> f32 inline mtof f32 f32 case then mtof m (mul 440.0 (powf 2.0 (div (sub m 69.0) 12.0))) set a f32 set z f32 then a :: 67.0 68.0 69.0 70.0 71.0 case a x then z (mtof x) dump z

@lritter@mastodon.gamedev.place · 3 weeks ago

alright! looks like we're sufficiently complete now to have more refactoring fun on the user side.

this contrived example here defines disjunctive rules for our inline.

they inline as merge cases; types are inferred correctly.

*** execution plan:
testing/test_inline.lrdl:15:1: case
| then a 67:f32
| then a 68:f32
| then a 69:f32
| then a 70:f32
| then a 71:f32
testing/test_inline.lrdl:16:1: case
| then a -67:f32
| then a -68:f32
| then a -69:f32
| then a -70:f32
| then a -71:f32
set a f32
testing/test_inline.lrdl:18:1: case
| a x%0:f32
| merge
| | testing/test_inline.lrdl:5:1: case
| | | ge x%0:f32 0:f32 %1:Bool
| | | cond %1:Bool
| | | sub x%0:f32 69:f32 %2:f32
| | | div %2:f32 12:f32 %3:f32
| | | powf 2:f32 %3:f32 %4:f32
| | | mul 440:f32 %4:f32 %5:f32
| | testing/test_inline.lrdl:8:1: case
| | | lt x%0:f32 0:f32 %6:Bool
| | | cond %6:Bool
| | | sub -69:f32 x%0:f32 %7:f32
| | | div %7:f32 12:f32 %8:f32
| | | powf 2:f32 %8:f32 %9:f32
| | | mul 440:f32 %9:f32 %5:f32
| then z x%0:f32 %5:f32
set z f32 f32

*** z
-71 493.883
-70 466.164
-69 440
-68 415.305
-67 391.995
67 391.995
68 415.305
69 440
70 466.164
71 493.883 — *** execution plan: testing/test_inline.lrdl:15:1: case | then a 67:f32 | then a 68:f32 | then a 69:f32 | then a 70:f32 | then a 71:f32 testing/test_inline.lrdl:16:1: case | then a -67:f32 | then a -68:f32 | then a -69:f32 | then a -70:f32 | then a -71:f32 set a f32 testing/test_inline.lrdl:18:1: case | a x%0:f32 | merge | | testing/test_inline.lrdl:5:1: case | | | ge x%0:f32 0:f32 %1:Bool | | | cond %1:Bool | | | sub x%0:f32 69:f32 %2:f32 | | | div %2:f32 12:f32 %3:f32 | | | powf 2:f32 %3:f32 %4:f32 | | | mul 440:f32 %4:f32 %5:f32 | | testing/test_inline.lrdl:8:1: case | | | lt x%0:f32 0:f32 %6:Bool | | | cond %6:Bool | | | sub -69:f32 x%0:f32 %7:f32 | | | div %7:f32 12:f32 %8:f32 | | | powf 2:f32 %8:f32 %9:f32 | | | mul 440:f32 %9:f32 %5:f32 | then z x%0:f32 %5:f32 set z f32 f32 *** z -71 493.883 -70 466.164 -69 440 -68 415.305 -67 391.995 67 391.995 68 415.305 69 440 70 466.164 71 493.883

extern powf f32 f32 -> f32

inline mtof f32 f32
case
ge m 0.0
then mtof m (mul 440.0 (powf 2.0 (div (sub m 69.0) 12.0)))
case
lt m 0.0
then mtof m (mul 440.0 (powf 2.0 (div (sub -69.0 m) 12.0)))

set a f32
set z f32 f32

then a :: 67.0 68.0 69.0 70.0 71.0
then a :: -67.0 -68.0 -69.0 -70.0 -71.0

case
a x
then z x (mtof x)

dump z — extern powf f32 f32 -> f32 inline mtof f32 f32 case ge m 0.0 then mtof m (mul 440.0 (powf 2.0 (div (sub m 69.0) 12.0))) case lt m 0.0 then mtof m (mul 440.0 (powf 2.0 (div (sub -69.0 m) 12.0))) set a f32 set z f32 f32 then a :: 67.0 68.0 69.0 70.0 71.0 then a :: -67.0 -68.0 -69.0 -70.0 -71.0 case a x then z x (mtof x) dump z

@lritter@mastodon.gamedev.place replied · 3 weeks ago

if you're getting an aneurysm trying to understand how those mtof cases work, that's because you're trying to read it as a function, but the "function head" is the `then` section, at the end of the block rather than the beginning.

in datalog/prolog, order would be correct:

mtof(m, ...) :- ge(m, 0), ...

but then regular rules are not in execution order.

i'm going to explain the relational model with diagrams in an extra post.

@lritter@mastodon.gamedev.place · 3 weeks ago

sigh. i have one more thing to fix, which is sugar for recognizing expressions as conditions; e.g. when you put `B ...` in a case, or any other buffer B with an omitted boolean in last place, e.g. `eq a b`, this should internally expand to `B ... tmp:bool; cond tmp`

@lritter@mastodon.gamedev.place replied · 3 weeks ago

alright! looks like we're sufficiently complete now to have more refactoring fun on the user side.

this contrived example here defines disjunctive rules for our inline.

they inline as merge cases; types are inferred correctly.

@lritter@mastodon.gamedev.place · 3 weeks ago

@lritter@mastodon.gamedev.place · 3 weeks ago

yes, hooray, it works again!

which means inlines should now theoretically work perfectly. i can make more music

@lritter@mastodon.gamedev.place · 3 weeks ago

this turned into a bigger refactor. the parser needs to work without knowing anything about types, and that's presently not true. it's not impossible to change, but - requires a lot of furniture rearrangement.

@lritter@mastodon.gamedev.place replied · 3 weeks ago

only just managed to get the parser to work again. now the typechecking begins.

@lritter@mastodon.gamedev.place · 3 weeks ago

the first test succeeds, but i have early typechecking in the parser that needs to be put into a second pass.

too late for that today, more tomorrow.

@lritter@mastodon.gamedev.place replied · 3 weeks ago

@lritter@mastodon.gamedev.place · 3 weeks ago

the first test succeeds, but i have early typechecking in the parser that needs to be put into a second pass.

too late for that today, more tomorrow.

@lritter@mastodon.gamedev.place · 3 weeks ago

so i'm thinking, step 1 is adding "inline" buffers (a solution from soufflé), for which cases don't generate code, and which in usage get inlined directly into other cases.

this already covers the need i have for functional macros and i can put off supporting C exports to a later point.

# a more practical example
inline mtof f32 f32
case
then mtof m (mul 440.0 (powf 2.0 (div (sub m 69.0) 12.0))) — # a more practical example inline mtof f32 f32 case then mtof m (mul 440.0 (powf 2.0 (div (sub m 69.0) 12.0)))

inline addmul (x : s32) (y : s32) (z : s32) (out : s32)

case
t1 = mul x y
t2 = add t1 z
then addmul x y z t2

# usage
case
src x y
addmul x y 1 w
then dst w

# internally expands to
case
src x y
merge
case
t1 = mul x y
w = add t1 1
then dst w — inline addmul (x : s32) (y : s32) (z : s32) (out : s32) case t1 = mul x y t2 = add t1 z then addmul x y z t2 # usage case src x y addmul x y 1 w then dst w # internally expands to case src x y merge case t1 = mul x y w = add t1 1 then dst w

@lritter@mastodon.gamedev.place · 3 weeks ago

alright. today's job: support for defining C functions in LRDL.

this should generalize far enough that we can implement `main` this way, and also write shared libraries with it.

but it requires opening the reactor pattern to external users. it significantly complicates interactions and update flow.

hmhmhm. difficult to extract the smallest most elegant idea that works.

nullagent boosted

@nullagent@partyon.xyz · 4 weeks ago

https://github.com/datapartyjs/MeshTNC

Working on BLE packet sniffing and transmission for MeshTNC, bc who doesn't want to do APRS or meshcore over BLE advertisements 😉

My quick hack feels promising so I think I'll clean this up and PR it.

#lora #meshcore #meshtastic #amateurradio #embedded #esp32

@nullagent@partyon.xyz · 4 weeks ago

Just needed one tweak to the KISS encoder to define our port usage and give myself a way to put BLE data out a different port than LoRa data when in KISS mode.

Planning to also support streaming GPS NMEA over KISS eventually as well as promiscuous mode WiF sniffing.... eventually.

So reserved some values for that stuff.

https://github.com/datapartyjs/MeshTNC/pull/41

@nullagent@partyon.xyz replied · 4 weeks ago

Woot, done with BLE receiving. Added some new commands to control it all.

Still need to actually test the KISS output and support transmit.

But its been running all day and seems pretty stable.

#MeshTNC #devlog #radio #ble #lora

#amateurradio #wardriving #ble #embeded #esp32 #devlog #MeshTNC

@nullagent@partyon.xyz · 4 weeks ago

Here I was thinking the KISS protocol support was going to be hard ✨

Actually this flew together, mostly bc @meph already did all the hard stuff on KISS handling.

So just check which output mode we're in and yeet the data at the BLE data KISS port.

@nullagent@partyon.xyz replied · 4 weeks ago

Just needed one tweak to the KISS encoder to define our port usage and give myself a way to put BLE data out a different port than LoRa data when in KISS mode.

Planning to also support streaming GPS NMEA over KISS eventually as well as promiscuous mode WiF sniffing.... eventually.

So reserved some values for that stuff.

@nullagent@partyon.xyz · 4 weeks ago

First things first, I want to make it so that the ASCII CSV output format for BLE packets roughly matches LoRa packets.

Every packet gets an arrival timestamp, type, RSSI and SNR values. Followed by whatever payload.

In the case of BLE packets there's also a 6 byte MAC so I slap that infront of the payload.

There's no SNR data for BLE so that's always 0.0. But the RSSI is good.

#MeshTNC #BLE #LoRa #devlog

#amateurradio #wardriving #ble #embeded #esp32 #devlog #MeshTNC

@nullagent@partyon.xyz replied · 4 weeks ago

Here I was thinking the KISS protocol support was going to be hard ✨

Actually this flew together, mostly bc @meph already did all the hard stuff on KISS handling.

So just check which output mode we're in and yeet the data at the BLE data KISS port.

@nullagent@partyon.xyz · 4 weeks ago

https://github.com/datapartyjs/MeshTNC

Working on BLE packet sniffing and transmission for MeshTNC, bc who doesn't want to do APRS or meshcore over BLE advertisements 😉

My quick hack feels promising so I think I'll clean this up and PR it.

#lora #meshcore #meshtastic #amateurradio #embedded #esp32

@nullagent@partyon.xyz replied · 4 weeks ago

First things first, I want to make it so that the ASCII CSV output format for BLE packets roughly matches LoRa packets.

Every packet gets an arrival timestamp, type, RSSI and SNR values. Followed by whatever payload.

In the case of BLE packets there's also a 6 byte MAC so I slap that infront of the payload.

There's no SNR data for BLE so that's always 0.0. But the RSSI is good.

#MeshTNC #BLE #LoRa #devlog

@nullagent@partyon.xyz · 4 weeks ago