Hi HN,

I’m sharing mochi.js (https://github.com/0xchasercat/mochi), a Bun-native, raw-CDP browser automation framework. It's designed to make programmatic browser use more effective by focusing on consistency and measured parity with regular traffic, purely from the JS layer, against stock Chromium.

The most common forms of browser automation focus heavily on client-side line by line probes, which are mostly cosmetic. This makes people feel better but it doesn't have much relevance to actual WAF or anti-automation defences.

Mochi.js focuses on what actually matters, allowing you to get past captchas, WAF's and most defence mechanisms. In fact, in some cases it actually outperforms chromium forks simply by virtue of not having to lie.

The foundation is built on a probe manifest based on analyzing several WAF's and trying to cover most of the ground that matters, and from there building upwards while ensuring every decision is backed by data. Solves turnstile/interstitial automatically, single digit fpjs suspect score, very good client-side results, though browserscan and a few others are known limitations that are fundamentally conflicting with what WAF's probe for.

I'll be here if anyone wants to discuss the details, check out the docs and github. It's completely free and open source, MIT, strictly no relationship to any proprietary products whatsoever. No affiliation to patched chromium forks, or SaaS.

But I also want to talk about why I built this, because the current paradigm of "bot detection" is fundamentally broken.

Traditionally they would probably try to label my repository a malicious tool, or at best, a grey hat one.

Let's take Turnstile for example, If you attach a debugger to see what data they are extracting from your hardware, their script intentionally self-destructs. When they try to extract your data—acting as a guest on your silicon, using your electricity, without asking, the industry calls it "Security."

But if you write a script to control exactly what data your own hardware emits, refusing to provide the data they have no right to ask for, you are suddenly labeled a "Malicious Actor" engaged in "Bot Evasion."

I find it absurd we let ourselves put up with this, and the stance of the bot-evasion community only makes them feel more able to take a higher moral ground.

I have built a library that respects my hardware's reality. If that breaks your security model, that's because your security model relies on trespassing and secrecy. I stopped apologizing. Who's next?

Mochi is the exact opposite of WAF opacity. It is a glass box. It is MIT-licensed. The entire DAG, fingerprint manifest schema, harvesting process, is documented. We even commit our live benchmarks to the public record (mochi on a Linux datacenter IP scored a suspect_score: 8 and bot: not_detected against FingerprintJS Pro v4).

We don't even lie unnecessarily. We default to host-OS matching. If you run mochi on a Linux server, it uses privacy-sensible fingerprints for Linux, not Windows, because Linux is a real-user signal. It proves that WAFs aren't actually blocking what most people think they are, which begs the question of what they are really doing in that obfuscated payload.

The legitimacy argument is exactly how they captured the narrative. And nobody challenged it because the people on the other side were too busy acting like they were doing something wrong.

Is this a conspiracy theory? For sure, but only because they allow it to be. Try make a conspiracy theory about the sticky riceball.

UK firm aims to build 'data centre' using 50k lampposts in Nigeria

Show HN: Chuchu, an Android SSH client built on libghostty

Jankó Keyboard

Manufacturing qubits that can move

Our side project: cyber-research-AI IDE, writing an exploit for CVE-2026-23918 [video]

Britain Learned and Unlearned Nuclear

J2G – Convert Jenkinsfiles to GitLab CI (.gitlab-ci.yml), offline

Nature's hardware store: building the future with biology [video]

Novo Navis Intelligence Sobers Up the AI Community

Show HN: AaaS – Agent as a Service

Cambridge University Raises Money to Help the Homeless in Cambridge

The FCC Wants Your ID Before You Get a Phone Number

Wanted: A new tech-industry writer for The Economist

Refineshot: Rethink Cinematography with Foundational Skill Evaluation

GrapheneOS fixes Android VPN leak Google refused to patch

AWS to also block ipcomp and xfrm modules in DirtyFrag mitigation

Rtwatch: Watch videos with friends using WebRTC

Canvas Data Breach; DeepSeek V4 Flash Boosts LLM Inference 4.3x

I am the best lightsaber fighter in Europe

Self-Fulfilling Misalignment Data Might Be Poisoning Our AI Models (2025)

It Was a Good Quarter for "Other Income" [A16Z Charts on AI Growth]

Callbacks in C++ using template functors (Rich Hickey, 1996)

Show HN: Mochi.js: bun-native high-fidelity browser automation library

Frontier Airlines plane hits person on runway during takeoff at Denver airport

Running Codex Safely at OpenAI

Marrying for power: Gendered alliances in mafias

Meta can read your Instagram DMs starting Friday

GameStop CEO Trying to Buy eBay Says He Was Banned from eBay

What the Naysayers of Vibe Coding Are Getting Wrong

Working with Cowork: Claude Desktop Is Three Apps Pretending to Be One

Ask HN: Books for LLMs