10 interesting stories served every morning and every evening.

Obfuscated, self-evaluating bash script by CDN Akamai being supplied to consumers via retail stores

tris.sherliker.net

When my wife said to me Let me show you a t-shirt I saw…”, I was­n’t sure what to ex­pect, but it def­i­nitely was­n’t an ob­fus­cated bash script printed on the back de­signed to print a happy Easter egg mes­sage.

I’m not in the habit of click­baity head­li­ne­sI’ve no idea at all how many views this site gets, but I’m will­ing to bet it’s not even dou­ble-digit hu­mans per month. but I can see why sube­d­i­tors have such fun with them. The ti­tle above is, strictly speak­ing, en­tirely ac­cu­rate, but prob­a­bly not what you think. The ob­fus­cated code in ques­tion is ac­tu­ally an easter egg, it’s be­ing sup­plied via Uniqlo stores on an ex­cel­lent t-shirt de­signed by Akamai in sup­port of their Peace for All cam­paign.

And it’s very cool! The front has a heart in curly braces:

While the back has a big al­phanu­meric block:

Is that … a she­bang?!

My wife was right that I’d want to see it. Was that… a she­bang?

Take a closer look at the text block:

Yes, a she­bang! On a t-shirt sold in a high street store, no less. And it is clearly a base64 en­coded Here string be­ing fed to eval via base64 –decode.

Interesting. I told my wife that’s ba­si­cally how peo­ple ship virus­es’ and bought it.

OCR was cum­ber­some

There was good news and bad news:

The bad news was that base64 has­n’t got er­ror cor­rec­tion, mean­ing that the tran­scrip­tion would need to be per­fect. Sigh.

The good news was that the string seemed to be in­tact - at least, it ter­mi­nated with the ex­pected padding and had match­ing quotes and braces. This is a good thing be­cause Uniqlo x Akamai sells an­other de­sign of shirt in the same range which is plainly in­com­plete­For ex­am­ple, its im­ports are trun­cated and it ends retu” in­stead of return”. This is a pity, be­cause it’s a re­ally nice colour com­bi­na­tion and con­tains the highly id­iomatic in­struc­tion go doStuff(msg, work… which any­one can re­late to., a trun­cated crop from a wider text block which could never com­pile.

I ran OCR in a few ways: First, us­ing the built-in OCR of the cir­cle-to-search fea­ture on Android, which is of­ten very good. Second, by us­ing Tesseract with a few op­tions and tweaks. And third by run­ning it through Claude. After diff­ing the three to look for mis­matches and get­ting Claude to out­put a table of lo­ca­tions for quick scan­ning, it be­came triv­ial but time-con­suimg to tidy up the re­main­der. The re­sult­ing string was:

IyEvYmluL2Jhc2gKCiMgQ29uZ3JhdHVsYXRpb25zISBZb3UgZm91bmQgdGhlIGVhc3RlciBlZ2chIOKdpO+4jwojIOOBiuOCgeOBp+OBqOOBhuOBlOOBluOBhOOBvuOBme+8gemaoOOBleOCjOOBn+OCteODl+ODqeOCpOOCuuOCkuimi+OBpOOBkeOBvuOBl+OBn++8geKdpO+4jwoKIyBEZWZpbmUgdGhlIHRleHQgdG8gYW5pbWF0ZQp0ZXh0PSLimaVQRUFDReKZpUZPUuKZpUFMTOKZpVBFQUNF4pmlRk9S4pmlQUxM4pmlUEVBQ0XimaVGT1LimaVBTEzimaVQRUFDReKZpUZPUuKZpUFMTOKZpVBFQUNF4pmlRk9S4pmlQUxM4pmlIgoKIyBHZXQgdGVybWluYWwgZGltZW5zaW9ucwpjb2xzPSQodHB1dCBjb2xzKQpsaW5lcz0kKHRwdXQgbGluZXMpCgojIENhbGN1bGF0ZSB0aGUgbGVuZ3RoIG9mIHRoZSB0ZXh0CnRleHRfbGVuZ3RoPSR7I3RleHR9CgojIEhpZGUgdGhlIGN1cnNvcgp0cHV0IGNpdmlzCgojIFRyYXAgQ1RSTCtDIHRvIHNob3cgdGhlIGN1cnNvciBiZWZvcmUgZXhpdGluZwp0cmFwICJ0cHV0IGNub3JtOyBleGl0IiBTSUdJTlQKCiMgU2V0IGZyZXF1ZW5jeSBzY2FsaW5nIGZhY3RvcgpmcmVxPTAuMgoKIyBJbmZpbml0ZSBsb29wIGZvciBjb250aW51b3VzIGFuaW1hdGlvbgpmb3IgKCggdD0wOyA7IHQrPTEgKSk7IGRvCiAgICAjIEV4dHJhY3Qgb25lIGNoYXJhY3RlciBhdCBhIHRpbWUKICAgIGNoYXI9IiR7dGV4dDp0ICUgdGV4dF9sZW5ndGg6MX0iCiAgICAKICAgICMgQ2FsY3VsYXRlIHRoZSBhbmdsZSBpbiByYWRpYW5zCiAgICBhbmdsZT0kKGVjaG8gIigkdCkgKiAkZnJlcSIgfCBiYyAtbCkKCiAgICAjIENhbGN1bGF0ZSB0aGUgc2luZSBvZiB0aGUgYW5nbGUKICAgIHNpbmVfdmFsdWU9JChlY2hvICJzKCRhbmdsZSkiIHwgYmMgLWwpCgogICAgIyBDYWxjdWxhdGUgeCBwb3NpdGlvbiB1c2luZyB0aGUgc2luZSB2YWx1ZQogICAgeD0kKGVjaG8gIigkY29scyAvIDIpICsgKCRjb2xzIC8gNCkgKiAkc2luZV92YWx1ZSIgfCBiYyAtbCkKICAgIHg9JChwcmludGYgIiUuMGYiICIkeCIpCgogICAgIyBFbnN1cmUgeCBpcyB3aXRoaW4gdGVybWluYWwgYm91bmRzCiAgICBpZiAoKCB4IDwgMCApKTsgdGhlbiB4PTA7IGZpCiAgICBpZiAoKCB4ID49IGNvbHMgKSk7IHRoZW4geD0kKChjb2xzIC0gMSkpOyBmaQoKICAgICMgQ2FsY3VsYXRlIGNvbG9yIGdyYWRpZW50IGJldHdlZW4gMTIgKGN5YW4pIGFuZCAyMDggKG9yYW5nZSkKICAgIGNvbG9yX3N0YXJ0PTEyCiAgICBjb2xvcl9lbmQ9MjA4CiAgICBjb2xvcl9yYW5nZT0kKChjb2xvcl9lbmQgLSBjb2xvcl9zdGFydCkpCiAgICBjb2xvcj0kKChjb2xvcl9zdGFydCArIChjb2xvcl9yYW5nZSAqIHQgLyBsaW5lcykgJSBjb2xvcl9yYW5nZSkpCgogICAgIyBQcmludCB0aGUgY2hhcmFjdGVyIHdpdGggMjU2LWNvbG9yIHN1cHBvcnQKICAgIGVjaG8gLW5lICJcMDMzWzM4OzU7JHtjb2xvcn1tIiQodHB1dCBjdXAgJHQgJHgpIiRjaGFyXDAzM1swbSIKCiAgICAjIExpbmUgZmVlZCB0byBtb3ZlIGRvd253YXJkCiAgICBlY2hvICIiCgpkb25lCgo=

The de­coded script

After Base64 de­cod­ing, the re­sult­ing script is a wel­com­ing and nicely com­mented Easter egg:

#!/bin/bash

# Congratulations! You found the easter egg! ❤️ # おめでとうございます!隠されたサプライズを見つけました!❤️

# Define the text to an­i­mate text=“♥PEACE♥FOR♥ALL♥PEACE♥FOR♥ALL♥PEACE♥FOR♥ALL♥PEACE♥FOR♥ALL♥PEACE♥FOR♥ALL♥”

# Get ter­mi­nal di­men­sions cols=$(tput cols) lines=$(tput lines)

# Calculate the length of the text tex­t_length=${#text}

# Hide the cur­sor tput civis

# Trap CTRL+C to show the cur­sor be­fore ex­it­ing trap tput cnorm; exit” SIGINT

# Set fre­quency scal­ing fac­tor freq=0.2

# Infinite loop for con­tin­u­ous an­i­ma­tion for (( t=0; ; t+=1 )); do # Extract one char­ac­ter at a time char=“${text:t % tex­t_length:1}”

# Calculate the an­gle in ra­di­ans an­gle=$(echo ($t) * $freq” | bc -l)

# Calculate the sine of the an­gle sine_­value=$(echo s($angle)” | bc -l)

# Calculate x po­si­tion us­ing the sine value x=$(echo ($cols / 2) + ($cols / 4) * $sine_value” | bc -l) x=$(printf %.0f” $x”)

# Ensure x is within ter­mi­nal bounds if (( x < 0 )); then x=0; fi if (( x >= cols )); then x=$((cols - 1)); fi

# Calculate color gra­di­ent be­tween 12 (cyan) and 208 (orange) col­or_s­tart=12 col­or_end=208 col­or_range=$((col­or_end - col­or_s­tart)) color=$((col­or_s­tart + (color_range * t / lines) % col­or_range))

# Print the char­ac­ter with 256-color sup­port echo -ne \033[38;5;${color}m”$(tput cup $t $x)“$char\033[0m”

# Line feed to move down­ward echo

done

The re­sult is a con­tin­u­ous happy sine-wave loop of the cam­paign mes­sage, Peace for All:

Detail: The font choice

Edit: The fol­low­ing font ID is wrong! User ral­phi­nus on Hacker News pointed out that the font is Roboto Mono. I don’t know how I over­looked the very dif­fer­ent g.

I guess Uniqlo is run through Windows though: one thing that struck me was the font, which I’m I was pre­vi­ously al­most cer­tain is ConsolasI was for­tu­nate enough to cor­re­spond with the de­signer, Lucas de Groot, once in re­la­tion to a le­gal case in which some­one had used one of his fonts to forge a doc­u­ment. He was very help­ful and kind enough to con­firm the nec­es­sary facts in writ­ing, even though he owed noth­ing to us. , which I’m fond of. Note the very shal­lowly-slashed 0, the lack of serif on the 1 and the rounded curves of let­ters like BDyg and num­ber 2. It’s strik­ing be­cause it’s pri­mar­ily a Windows font, so not the sort of thing I’d ex­pect to see call­ing Bash.

Linux, the lan­guage of the Internet

Akamai put out a press re­lease about the shirt when it was re­leased, which is an­other sort of in­ter­est­ing due to the blend of tech and mar­ket­ing:

Design mes­sage More than 25 years ago, Akamai helped make the in­ter­net we know to­day pos­si­ble. This shirt’s de­sign is a call­back to those early days of life on­line. The light tan color is a ref­er­ence to the beige box” plas­tic cas­ings that housed the early in­ter­net com­put­ers, and the heart on the front rep­re­sents how the in­ter­net has been used for good all over the world. On the back of the T-shirt is real code. It’s a ref­er­ence to Linux, the open-source lan­guage of the in­ter­net. This com­mon lan­guage unites Akamai with the world’s top brands and the peo­ple they serve, as we work to­gether to­ward a vi­sion of a safer and more con­nected world.

Design mes­sage

More than 25 years ago, Akamai helped make the in­ter­net we know to­day pos­si­ble. This shirt’s de­sign is a call­back to those early days of life on­line. The light tan color is a ref­er­ence to the beige box” plas­tic cas­ings that housed the early in­ter­net com­put­ers, and the heart on the front rep­re­sents how the in­ter­net has been used for good all over the world. On the back of the T-shirt is real code. It’s a ref­er­ence to Linux, the open-source lan­guage of the in­ter­net. This com­mon lan­guage unites Akamai with the world’s top brands and the peo­ple they serve, as we work to­gether to­ward a vi­sion of a safer and more con­nected world.

Not the first

I de­lib­er­ately did­n’t search for spoil­ers at first, but I see that I am of course not the first per­son to get nerd-sniped by this. Wen Chuan Lee and that post also links to an­other (against which I’ve cross-checked my tran­scrip­tion above). I’m happy to carry on the chain.

Read the dis­cus­sion of this post on Hacker News, which in­cludes links to more info from the de­signer and other in­ter­est­ing ob­ser­va­tions

allaboutcookies.org

allaboutcookies.org

Please en­able JS and dis­able any ad blocker

GitLost: How We Tricked GitHub’s AI Agent into Leaking Private Repos

noma.security

TL;DR: Noma Labs dis­cov­ered a crit­i­cal prompt in­jec­tion vul­ner­a­bil­ity within GitHub’s new Agentic Workflows, al­low­ing an unau­then­ti­cated at­tacker to silently pull data from pri­vate repos­i­to­ries by post­ing a crafted GitHub Issue in a pub­lic repos­i­tory be­long­ing to the same or­ga­ni­za­tion as the pri­vate repos­i­to­ries. Noma Labs named the vul­ner­a­bil­ity GitLost.

https://​noma.se­cu­rity/​wp-con­tent/​up­loads/​Git­Lost-full-video-1.mp4

Introduction

GitHub re­cently launched GitHub Agentic Workflows, pair­ing GitHub Actions (GitHub’s au­toma­tion sys­tem for run­ning tasks in re­sponse to repos­i­tory events) with an AI agent backed by Claude or GitHub Copilot. GitHub Agentic Workflows al­low teams to write their GitHub work­flows in plain Markdown, and the GitHub agent reads is­sues, calls tools, and re­sponds on its own.

As a vul­ner­a­bil­ity re­searcher with a se­cu­rity de­vel­op­ment back­ground, one of the first ques­tions that came to mind af­ter this launch was fun­da­men­tal and straight­for­ward: What will hap­pen when the GitHub agent reads some­thing it should not trust?

The an­swer is a text­book in­di­rect prompt-in­jec­tion at­tack, the kind of at­tack that qui­etly sends pri­vate data to any­one on the in­ter­net. Prompt in­jec­tion is a class of at­tack in which an ad­ver­sary hides ma­li­cious in­struc­tions in­side the con­tent read by an AI agent. That con­tent causes the agent to fol­low those hid­den in­struc­tions in­stead of the ones its op­er­a­tor in­tended.

What are GitHub Agentic Workflows?

GitHub Agentic Workflows let teams au­to­mate their in­ter­ac­tions with code repos­i­to­ries us­ing nat­ural lan­guage. Workflows live in Markdown (.md) files, are com­piled into YAML (a com­mon con­fig­u­ra­tion file for­mat), Actions files with the .yml ex­ten­sion, and run with the help of an AI agent with con­fig­urable per­mis­sions. The GitHub agent can read is­sues, call tools, and ac­cess other repos­i­to­ries within an or­ga­ni­za­tion.

GitLost Vulnerability Overview

The root cause of the GitLost vul­ner­a­bil­ity is, by now, a fa­mil­iar one in agen­tic AI sys­tems: prompt in­jec­tion. In most agen­tic prompt in­jec­tion at­tacks, the agent treats the wrong con­tent as a trusted source of in­struc­tions and al­lows it­self to be mis­di­rected or mis­used. This hap­pens when the sys­tem fails to main­tain a strict trust bound­ary be­tween sys­tem-level di­rec­tives and un­trusted user data. In this spe­cific case, any ma­li­cious ac­tor can cre­ate a GitHub Issue and, in the is­sue body, hide com­mands in plain English that GitHub’s agent will fol­low.

The vul­ner­a­ble Github Agentic Workflow Noma Labs dis­cov­ered was con­fig­ured to:

Trigger the work­flow on is­sues.as­signed events in GitHub

Read the is­sue Title and Body

Post a com­ment in re­sponse us­ing the add-com­ment tool

Run with read ac­cess to other repos­i­to­ries (public and pri­vate) in the or­ga­ni­za­tion

To ex­ploit this vul­ner­a­bil­ity, the at­tacker needed no cod­ing skills, ac­cess, or cre­den­tials. All that was needed was to open an is­sue in a pub­lic repos­i­tory be­long­ing to an or­ga­ni­za­tion that uses GitHub’s Agentic Workflow setup and wait.

The Attack Flow

Let’s take a look at the ex­act at­tack flow that Noma Labs vul­ner­a­bil­ity re­searchers suc­ceeded with:

First, they crafted a GitHub is­sue that looked com­pletely in­no­cent, con­sist­ing of a plau­si­ble-look­ing re­quest from a VP Sales af­ter meet­ing with a cus­tomer, as shown be­low:

In this spe­cific ex­am­ple, the work­flow ac­tion was trig­gered when the is­sue was as­signed, but our test­ing con­firmed it works the same way for other GitHub work­flow ac­tions.

Then, af­ter a GitHub au­toma­tion as­signed the is­sue, an event-trig­gered work­flow caused the agent to fetch the con­tents of README.md from both the poc (public) and test­lo­cal (private) repos­i­to­ries.

Finally, the GitHub agent then posted them as a pub­lic com­ment on the is­sue in the pub­lic repos­i­tory, which any­one could ac­cess and read.

The Additional” Exploit

GitHub had re­stric­tive guardrails in place to pre­vent ex­actly this sce­nario, but they failed to pro­tect the repos­i­to­ries as in­tended. Testing GitHub re­peat­edly with vari­a­tions, as an at­tacker would, and adding the key­word Additionally” trig­gered un­in­tended be­hav­ior in the model, caus­ing it to re­frame its out­put rather than refuse it. Essentially, by trick­ing the model, I was able to en­sure that GitHub’s guardrails did not work as in­tended and did­n’t pre­vent the data leak.

https://​noma.se­cu­rity/​wp-con­tent/​up­loads/​github_a­gen­tic_­work­flows.mp4

Vulnerability Proof of Concept

With the goal of full trans­parency, Noma Lab’s con­firmed find­ings, in­clud­ing our work­flow re­pro­duc­tions and live ev­i­dence, can be found here:

Workflow run: https://​github.com/​sasi­no­m­al­abs/​poc/​ac­tions/​runs/​23909666039

Issue: https://​github.com/​sasi­no­m­al­abs/​poc/​is­sues/​153

The leaked data in­cluded the con­tents of README.md from:

sasi­no­m­al­abs/​poc (public repo)

sasi­no­m­al­abs/​re­mote-ping (public repo, no README con­firmed)

sasi­no­m­al­abs/​test­lo­cal (private repo)

Why it Matters

GitLost per­fectly il­lus­trates one of the fun­da­men­tal se­cu­rity chal­lenges every or­ga­ni­za­tion faces with agen­tic AI sys­tems. The agen­t’s con­text win­dow is also its at­tack sur­face. Any con­tent the agent reads, whether is­sues, pull re­quests, com­ments, or files, can be weaponized if the agent treats that con­tent as in­struc­tional in­put.

Traditional se­cu­rity mod­els typ­i­cally as­sume that trust bound­aries are en­forced by code. In agen­tic sys­tems, trust bound­aries are partly en­forced by the mod­el’s be­hav­ior, and mod­els are in­her­ently in­struc­tion-fol­low­ing. Prompt in­jec­tion at­tacks have be­come, to agen­tic AI, what SQL in­jec­tions were to web ap­pli­ca­tions: a sys­tem­atic, cat­e­gory-wide vul­ner­a­bil­ity class that re­quires the same sys­tem­atic strate­gies and de­fenses.

Noma Recommendations for Builders/AI Security Officers:

Never treat user-con­trolled con­tent as trusted in­struc­tion in­put for an AI agent

Scope per­mis­sions to the min­i­mum re­quired. Agents with cross-repos­i­tory ac­cess are es­pe­cially high-value tar­gets

Restrict what any agent can post pub­licly, es­pe­cially in re­sponse to is­sue con­tent

Sanitize or iso­late user in­put from the in­struc­tion con­text be­fore pass­ing it to the model

Responsible Disclosure

GitLost was re­spon­si­bly dis­closed to GitHub. Vulnerability de­tails are shared here with their knowl­edge.

Found this in­ter­est­ing? Subscribe for more agen­tic AI vul­ner­a­bil­ity re­search by Noma Labs, or check out: GrafanaGhost, DockerDash, Context Crush, GeminiJack. Looking for an ef­fec­tive Agentic AI Security Solution? Contact us to arrange a demo of Noma’s com­pre­hen­sive so­lu­tion.

Chatto is now Open Source!

www.hmans.dev

Hot damn. This is the big one.

I’m happy to an­nounce that Chatto, the group and team chat ap­pli­ca­tion that I’ve been work­ing on for the past year or so, is now of­fi­cially Open Source, and avail­able for any­one to self-host.

The fastest way to give it a try is through Homebrew:

brew in­stall chat­to­corp/​tap/​chatto chatto init chatto run

See Chatto’s Getting Started Guide for de­tails. Or stick around to hear more!

Chat Just Got Real

Chatto aims to be the group chat ap­pli­ca­tion that you ac­tu­ally en­joy us­ing. You’re prob­a­bly fa­mil­iar with the one that rhymes with knack”, or the one that rhymes with beams”, or the one that rhymes with this gourd”.

Chatto is just like those. Except you’re go­ing to love how com­pact and snappy it is. And that it’s Open Source. And you can just self-host it. For free, too! (A weird thing to write, but the OSS chat app space has be­come very weird in many ways!)

This is what it looks like:

If you want to see it in ac­tion, drop by the Chatto HQ Community!

It’s de­signed to be ex­tremely easy to self-host on your own in­fra­struc­ture. In its most ba­sic shape, you just run the ex­e­cutable, and that’s it. It even serves its own fron­tend!

It’s very light on re­sources, and prob­a­bly has the snap­pi­est fron­tend that you’ve ever used in an app like this. It puts data pro­tec­tion and pri­vacy first, with all per­sonal and chat data fully en­crypted at rest with per-user keys that get shred­ded when a user de­cides to delete their ac­count.

Each Chatto server pow­ers a sin­gle com­mu­nity, with no fed­er­a­tion of data be­tween servers, nor any third-party track­ing or an­a­lyt­ics. If you want to hang out in mul­ti­ple servers at once, the client will sim­ply con­nect to all of them di­rectly. If you want to host mul­ti­ple com­mu­ni­ties, just spin up mul­ti­ple Chatto processes. Easy!

Chatto comes with full sup­port for voice and video calls, with screen-shar­ing, built in. Calls are fully end-to-end en­crypted and will scale to as many par­tic­i­pants as your in­fra­struc­ture can han­dle.

And you can use it to­day, for free, by self-host­ing it on your own server. Binaries are avail­able for Linux (x86_64 and ARM64), ma­cOS, and Windows; head over to the Chatto Self-Hosting Documentation site to get started.

Chatto Cloud

If you pre­fer some­one else to take care of the host­ing, I’m also happy to an­nounce that Chatto Cloud will soon en­ter pub­lic beta. Chatto Cloud’s of­fer­ing is very sim­ple: it pro­vides paid host­ing for Chatto servers — and that’s it. No pre­mium sub­scrip­tions, no ads, no icky bits. Just host­ing.

And it’s re­ally good host­ing! Chatto Cloud is launch­ing with fully European and European-owned in­fra­struc­ture, with more re­gions slated for launch in early 2027. Every Chatto server on Chatto Cloud ben­e­fits from au­to­matic scal­ing, nightly back­ups of all data, and zero-down­time ver­sion up­grades.

There’s no lock-in; servers hosted through Chatto Cloud are 100% com­pat­i­ble with self-hosted ones, and you can pack up your data and move into or out of Chatto Cloud at any time.

If you want to get no­ti­fied about the start of the beta, please see the end of this post for a low-vol­ume newslet­ter you can sub­scribe to.

What’s Next for Chatto

Chatto is now at ver­sion 0.4. I con­sider it sta­ble enough for pro­duc­tion use, but there are a few im­por­tant fea­tures still miss­ing — head over to the Chatto Roadmap if you want an overview.

The fo­cus for Chatto 0.5 will be on ad­di­tional safety fea­tures (content re­port­ing and mod­er­a­tion) as well as pol­ish­ing the client, par­tic­u­larly its multi-server func­tion­al­ity. I have some fun stuff planned for this that I can’t wait to put into peo­ple’s hands.

I ex­pect Chatto to hit 1.0.0 in about 6 – 12 months. Until then, there may still be break­ing changes, even though I’ll be try­ing to keep them to a min­i­mum. If you do de­cide to self-host, please be ready to up­date to new ver­sions as they are re­leased.

Get in Touch

It’s been an ex­cit­ing jour­ney so far and I’m look­ing for­ward to find­ing out what’s ahead. If you’re self-host­ing Chatto, I’m su­per ea­ger to hear from you about your ex­pe­ri­ence — please don’t hes­i­tate to head over to the Chatto HQ com­mu­nity and get in touch.

Also please feel free to drop by and say hello if you’re in­ter­ested in Chatto for your com­pany, Open Source pro­ject, or sim­i­lar. I’d love to learn more about your re­quire­ments, and help you get set up.

Links

Chatto HQ Community - we have a #self-hosting sup­port chan­nel!

Chatto Self-Hosting Documentation

GitHub Repository

Chatto on Bluesky

Newsletter

If you want to be no­ti­fied about new re­leases or the start of Chatto Cloud’s beta, you’re in­vited to sub­scribe to the Chatto an­nounce­ments newslet­ter. It’s su­per low-vol­ume (~1 email per month), and is only used for no­ti­fy­ing you when ex­cit­ing new stuff be­comes avail­able.

openai.com

Herdr: one terminal for the whole herd

herdr.dev

Agent mul­ti­plexer · a bi­nary, not an app

Run all your cod­ing agents from one ter­mi­nal, on any box, even over ssh. Each runs in its own real ter­mi­nal, on a server that keeps it alive when you close the lap­top. See blocked, work­ing, and done at a glance, and reat­tach from your phone.

Stable in­stall

$ curl -fsSL https://​herdr.dev/​in­stall.sh | sh

PS> irm https://​herdr.dev/​in­stall.ps1 | iex

Stable Linux/macOS · Windows pre­view beta · no Electron, no ac­count, no teleme­try

open­code­herdr+

✻ Claude Code v2.1.168

~/Projects/herdr · mas­ter

❯ the side­bar flick­ers when an agent flips state fast

● Found it. The rollup re­com­putes on every PTY chunk, so a dou­ble state flip re­paints the dot mid-frame.

● Plan:

· src/​app/​state.rs — buffer state events per tick

· src/​ui/​side­bar.rs — re­paint rollups once per frame

❯ go, and add a re­gres­sion test

⠋ Working… (13m 36s · esc to in­ter­rupt)

~/Projects/herdr > mas­ter > ctx ─── 3% 34k/1M

>> by­pass per­mis­sions on (shift+tab to cy­cle)

~/Projects/herdr mas­ter

❯ bun run dev

$ node scripts/​pre­pare-docs.mjs && as­tro dev

02:10:44 [types] Generated 0ms

02:10:44 [content] Synced con­tent

as­tro v5.18.1 ready in 668 ms

┃ Local   http://​lo­cal­host:4321/

Network  use –host to ex­pose

02:10:44 watch­ing for file changes…

+ Thought: 468ms

→ Read src/​main.rs

+ Thought: 292ms

This is src/​main.rs — the en­try point for herdr. Here’s what it does:

1. Arg pars­ing — ses­sion::con­fig­ure_from_args, then re­mote args for the SSH bridge.

2. Subcommand dis­patch — server, client, up­date — each re­turns early.

3. Session mode — au­to_de­tec­t_launch() con­nects to a run­ning server or spawns one.

Build · MiMo V2.5 Free · 16.6s

Build · MiMo V2.5 Free OpenCode Zen

25.2K (13%)  ctrl+p com­mands

mi­gratel­ogs+

✻ Claude Code v2.1.168

~/Projects/llm-proxy · mas­ter

❯ prep the re­quest-log mi­gra­tion and run it

● Wrote mi­gra­tions/​0007_re­quest_log.sql — re­quest_log table, re­ten­tion in­dex on cre­at­ed_at, daily rollup view.

● Local checks pass: sqlx pre­pare is clean, back­fill dry-run touches 41,209 rows. Ready to ap­ply.

Bash com­mand

cargo sqlx mi­grate run

Apply pend­ing data­base mi­gra­tions

Do you want to pro­ceed?

❯ 1. Yes

2. No, and tell Claude what to do dif­fer­ently (esc)

~/Projects/llm-proxy mas­ter

❯ tail -f logs/​proxy.log

02:30:58 INFO re­quest id=4818 route=/​v1/​mes­sages 200 312ms

02:31:04 INFO re­quest id=4819 route=/​v1/​mes­sages 200 287ms

02:31:09 DEBUG cache hit ra­tio 0.93

02:31:12 INFO re­quest id=4820 route=/​v1/​mes­sages 200 301ms

02:31:15 WARN up­stream la­tency p99 1.8s

02:31:18 INFO re­quest id=4821 route=/​v1/​mes­sages 200 295ms

02:31:21 WARN 429 from up­stream, retry­ing in 2s

02:31:24 INFO re­quest id=4822 route=/​v1/​mes­sages 200 1102ms

02:31:30 DEBUG cache hit ra­tio 0.94

02:31:33 INFO re­quest id=4823 route=/​v1/​em­bed­dings 200 88ms

codexserver+

• Explored

└ Read live_hand­off.rs

• Ran

└ cargo nex­test run -E test(live_handoff)’

└ 14 passed · 0 failed · 41.3s

• The hand­off suite passes. Pane PTYs sur­vive server re­place­ment, and long-lived work­loads — in­clud­ing the http.server in the next tab — keep re­spond­ing af­ter­ward.

• Next I can wire the soak test into nightly CI and fail on p95 re­gres­sions. Want that?

gpt-5.5 medium · ~/qmp · mas­ter · Context 6% used

~/qmp mas­ter

❯ python3 -m http.server 8080

Serving HTTP on 0.0.0.0 port 8080 …

02:28:41 GET /runs/latest.json” 200

02:29:03 GET /runs/latest.json” 200

02:29:25 GET /qmp/report.html” 200

02:30:07 GET /runs/latest.json” 200

02:30:18 GET /favicon.ico” 404

02:30:42 GET /qmp/report.html” 200

02:31:09 GET /runs/latest.json” 200

# used in the wild

Popular with en­gi­neers from

Individual en­gi­neers, not com­pany en­dorse­ments.

JetBrains

Docker

Vercel

Kimi

Sentry

Google

NVIDIA

AWS

ByteDance

Tencent

Alibaba

Salesforce

IBM

Atlassian

Whop

Eve Online's Carbon engine is now open source: Fenris Creations explains why

www.gamesindustry.biz

In 2024, Fenris Creations — then called CCP Games — said that it was plan­ning to make its Carbon game en­gine open source. Now, some two years later, the tech be­hind the long-run­ning sci-fi MMO Eve Online is avail­able on GitHub for every­one to use.

The open-source pro­ject is some­thing that the com­pa­ny’s core tech team has been work­ing on at a slow burn” for some time now, with the bulk of the work done in the last 12 weeks. Speaking to GamesIndustry.biz, Fenris Creations’ se­nior de­vel­op­ment di­rec­tor for core tech­nol­ogy, Ben Hunter, ex­plains the rea­son­ing be­hind it all. We wanted to get the code out there for in­spectabil­ity and build­ing trust with the com­mu­nity,” he says.

Fenris has a long his­tory of build­ing com­mu­ni­ties and en­gag­ing with them. If you look back to the early days of Eve Online, when we ex­posed our ap­pli­ca­tion pro­gram­ming in­ter­face (API), that was the start of our ef­fort to en­gage with the com­mu­nity and let them build some­thing with it. We ar­rived at this point two and a half to three years ago, where we de­cided there’s noth­ing re­ally spe­cial about our sauce in terms of the ac­tual code. We, and the com­mu­nity, would be bet­ter served by ac­tu­ally get­ting it out there, hav­ing more eyes on it, so that we can ac­tu­ally learn and grow from that, and peo­ple can do crazy things with it, which we’re very ex­cited to see.”

It’s early days at the mo­ment. Hunter says that things are leaning to­wards” peo­ple us­ing Carbon to build within the Eve ecosys­tem. Members of the com­mu­nity have al­ready been sub­mit­ting pull re­quests (PRs) — pro­posed changes to a code­base — for se­cu­rity fixes, and there’s been chat­ter about some­one mak­ing a web app to watch Eve Online con­tent.

We have to see how that man­i­fests, but es­sen­tially, you can build any­thing with it,” Hunter says.

Carbon is avail­able in its en­tirety across a num­ber of dif­fer­ent mod­ules. Most of the tech is un­der the MIT License, a pop­u­lar and per­mis­sive op­tion. Only two mod­ules aren’t un­der that ban­ner: spa­tial au­dio clus­ter­ing is cov­ered by Apache License 2.0, while IO has a Python Software Foundation License.

None of these li­censes has any com­mer­cial el­e­ment; some­one can use all of Carbon for free. They could make their own MMO us­ing the tech, for free. They could even fork off the en­gine and build their own ver­sion, sim­i­lar to how the Linux dis­tro sys­tem works.

But mak­ing money is­n’t the point of this ven­ture.

It’s about gar­ner­ing the ac­tual in­ter­est from peo­ple so that they want to in­vest their time, their ef­fort, their money into con­tribut­ing some­thing,” Hunter ex­plains. It’s this be­lief that ris­ing tides lift all ships. If we im­prove the code and we can all ben­e­fit from it, it’s good for every­one.”

Security con­cerns

Open sourc­ing cre­ates a bit of ex­tra work for the core tech team; they’ve got to han­dle PRs and mon­i­tor the changes. This is some­thing Fenris has slowly been hir­ing to­wards for years now.

We an­nounced our in­ten­tion to open source a cou­ple of years ago, then through­out that pe­riod, slowly ramped up in some of the teams, not specif­i­cally for open source it­self, but rather just to aug­ment the teams so they’d have more band­width to han­dle the me­chan­ics,” Hunter says. We have re­served time dur­ing our sprint process to re­view PRs, process them, and go through every­thing.”

There are many ben­e­fits to open­ing up your tech and let­ting any­one take a look un­der the hood. But bad ac­tors are al­ways out there, look­ing for any ex­ploit they can find. Hunter says that se­cu­rity is absolutely” a con­cern mov­ing for­ward, adding that it’s a pres­sure that en­sures the team increases the ef­fort” they put in when re­view­ing code and mak­ing ar­chi­tec­tural de­ci­sions.

But at the same time, the holes that were there would have been there any­way,” he says. Actually hav­ing the abil­ity to have third par­ties con­tribute to and help us close any po­ten­tial se­cu­rity gaps is very good. To be hon­est, for an en­gine that is 23 years old, the num­ber of se­cu­rity-re­lated PRs that we’ve had is quite min­i­mal. That’s eye-open­ing, in a good way — there’s been a lot of work done over the years. As you can imag­ine, Eve Online has gar­nered a lot of in­ter­est over the years be­cause of the scale of the fleet fights, the bat­tles, and things like that. Nefarious ac­tors, def­i­nitely, in the past, have wanted to probe that and try to dis­rupt it. There’s been a lot of bat­tle-hard­en­ing over 23 years to the in­fra­struc­tural stack of the en­gine and the net­work­ing layer.”

The abil­ity to have third par­ties con­tribute to and help us close any po­ten­tial se­cu­rity gaps is very good”

As well as game­play in­tegrity, there’s also the game’s econ­omy. Eve Online has a com­pli­cated, ro­bust, and in­cred­i­bly valu­able in-game econ­omy, with es­ti­mates sug­gest­ing a trad­ing vol­ume of more than $50 mil­lion per year. That part of the game is­n’t open source. In fact, Hunter says that a great deal of care was taken in de­cid­ing what was marked off for open source and what was not.

We had to make very care­ful con­sid­er­a­tions for what we carved out and what we left off,” he says. Probably the hard­est part of do­ing the open source pro­ject is de­cid­ing what gen­uinely is en­gine ver­sus what is two decades of things that grew up around it, and then also re­build­ing all of the pieces that were mid­dle­ware or li­cens­ing that no longer would be ap­plic­a­ble for open sourc­ing. That’s def­i­nitely been a big part of the chal­lenge.”

Weighting from Godot

To help thread the nee­dle, Fenris asked for ad­vice from Godot — an open-source en­gine pro­ject that started in 2014 and that has seen sub­stan­tial suc­cess in the past few years. Hunter notes that the rise of open, per­mis­si­ble soft­ware is def­i­nitely a trend at the mo­ment.”

The main con­ver­sa­tions were around gov­er­nance mod­els,” he con­tin­ues. We were ex­pect­ing Godot to come in and have this play­book of how to gov­ern an open source pro­ject at scale like that, but in re­al­ity, what it came down to was mak­ing the right ar­chi­tec­tural choices and hav­ing the ar­chi­tec­ture help pro­tect and de­fine the sur­face area for con­tri­bu­tion. If you roll that down, that’s a plug-in model for the en­gine, which is some­thing Unreal and Unity have, and it’s some­thing we are cur­rently im­ple­ment­ing for Carbon at the mo­ment.

We’re mov­ing to this plug-in ar­chi­tec­ture with our tool­ing. It’s also some­thing we’ll be open-sourc­ing in the com­ing months. The biggest light-bulb mo­ment in that con­ver­sa­tion is that we can make some ar­chi­tec­tural de­ci­sions that will help with the ac­tual op­er­a­tional gov­er­nance of the open source pro­ject.”

Regarding Carbon’s gov­er­nance struc­ture, the pro­ject is fully per­mis­si­ble and open. Fenris is ac­cept­ing con­tri­bu­tions and putting to­gether PR tem­plates and con­tri­bu­tion guide­lines.

We ba­si­cally had our code ready to be open-sourced be­fore we had some of the ma­chin­ery in place to process the ac­tual gov­er­nance of it,” Hunter says. That work has all the de­tails of how you can con­tribute, what cri­te­ria you have to meet when it comes to test­ing your work be­fore it is sub­mit­ted, and dis­clos­ing that you have utilised an LLM. We don’t mind you us­ing an LLM, but you have to dis­close it be­cause we may sub­ject it to dif­fer­ent scrutiny than if it were not dis­closed.”

Looking at the broader en­gine ecosys­tem, Hunter de­scribes the land­scape as shifting quite con­sid­er­ably”, point­ing at Epic’s re­cent an­nounce­ment re­gard­ing in­te­grat­ing AI in Unreal Engine 6.

We don’t mind you us­ing an LLM, but you have to dis­close it”

You’re see­ing a lot of the de­vel­op­ers that were tra­di­tion­ally go­ing to Unity or Unreal start­ing to shift gears a lit­tle bit to­wards Godot,” he says. If you look at Epic’s re­cent an­nounce­ments, they are shift­ing things quite a bit to en­sure they can en­ter the LLM era. Unreal’s been chang­ing a lot of its foun­da­tions with the new Verse lan­guage and the Scene Graph re­plac­ing the Actor model to pro­vide more per­sis­tence in large-scale en­vi­ron­ments. That’s some­thing that Carbon has been do­ing at scale for a very long time. It’s some­thing we’ve def­i­nitely seen the value in con­tribut­ing to, and a lot of the other en­gines are start­ing to want to have their own path­way to this as well.

There’s a lot of re-ar­chi­tect­ing go­ing on at the mo­ment, but also the biggest part of this is fig­ur­ing out the most use­ful way to in­te­grate or utilise LLMs for work­flows more than any­thing else. We our­selves also have a tools gate­way that we’ve just cre­ated in­ter­nally for LLM in­ter­faces, which we are rolling out to the game teams in the com­ing weeks and af­ter it’s had a bit of hard­en­ing time, we’ll be rolling that out as open source as well. There’s def­i­nitely a shift in the in­dus­try at the mo­ment.”

Testing in the wild

Looking for­ward, Fenris Creations is go­ing to be de­vel­op­ing Carbon in the open. Anyone and every­one can look, and that’s go­ing to im­pact how the team works.

The biggest thing is that we will be putting a lot more scrutiny into any big­ger ar­chi­tec­tural changes that we make,” Hunter says. That’s some­thing that we now have to have much more con­sid­er­a­tion with the game teams be­cause we will want them to do their own test­ing of that as well.

The other, which will def­i­nitely change now, is we are see­ing the need to cre­ate a test pro­ject. I don’t want to call it a game, but it’s an ex­am­ple game that is more for the testa­bil­ity and un­der­stand­ing the ar­chi­tec­ture and get started quickly in the en­gine. That’s an­other thing that’s chang­ing a lot. We, as the core tech group, will have to cre­ate that test ex­am­ple, and that will be­come our test space, which will be our ex­am­ple pro­ject. Right now, when we make changes to the en­gine, we have to jump into Eve or Eve Frontier and try to test in those game ex­am­ples. We don’t have our own sim­pli­fied ex­am­ple to run through.”

It’s taken a great deal of work to get here, but now Carbon is open source, what does Fenris Creations want for its en­gine over the next five years? Hunter says that he hopes to see a large, Eve-centric” com­mu­nity build up around the en­gine that will create their own aug­mented ver­sions of the game ex­pe­ri­ence”.

If you look at his­tory, when we re­leased the API for Eve Online, we saw var­i­ous side ap­pli­ca­tions that helped you man­age the skills of your char­ac­ter or fit the ship,” he con­tin­ues.

With Carbon, we’ve given the ca­pa­bil­i­ties and tools to the com­mu­nity, and the abil­ity to make that a much richer ex­pe­ri­ence is so much higher. But if you look at the di­rec­tion of what Eve Frontier in par­tic­u­lar is do­ing, where they’re be­com­ing a very open builder game, there’s so much more po­ten­tial there fur­ther down the road. I would say that in five years from now, we’d have quite a large com­mu­nity build­ing a lot of in­fra­struc­ture and apps and ex­pe­ri­ences around the Eve uni­verse, as it were.”

He con­cludes: Of course, any­thing is pos­si­ble with it be­ing MIT-licensed, but I would like to see it con­tribut­ing to the Eve uni­verse as a whole.”

Video Lectures | Structure and Interpretation of Computer Programs | Electrical Engineering and Computer Science | MIT OpenCourseWare

ocw.mit.edu

These twenty video lec­tures by Hal Abelson and Gerald Jay Sussman are a com­plete pre­sen­ta­tion of the course, given in July 1986 for Hewlett-Packard em­ploy­ees, and pro­fes­sion­ally pro­duced by Hewlett-Packard Television. These videos are also avail­able here un­der a Creative Commons li­cense com­pat­i­ble with com­mer­cial use.

Note: These lec­tures fol­low the first edi­tion (1985) of Structure and Interpretation of Computer Programs. Many of the pro­grams dis­cussed were rewrit­ten for the sec­ond edi­tion (1996) of the book, and new ma­te­r­ial was added. These video lec­tures will still be use­ful for stu­dents us­ing the sec­ond edi­tion, since the over­all themes of the course and or­der of pre­sen­ta­tion are un­changed.

These videos are cour­tesy of Hal Abelson and Gerald Jay Sussman, and are used with per­mis­sion.

CERT/CC Vulnerability Note VU#213560

kb.cert.org

Overview

Several ver­sions of Tenda firmware con­tain an un­doc­u­mented au­then­ti­ca­tion back­door that grants ad­min­is­tra­tive ac­cess to the de­vices’ web man­age­ment in­ter­faces. An at­tacker can ex­poit this vul­ner­a­bil­ity, tracked as CVE-2026 – 11405, to by­pass the pass­word ver­i­fi­ca­tion process and ob­tain full ad­min­is­tra­tive con­trol with­out valid cre­den­tials.

Affected Versions: * US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD * US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE * US_AC10V1.0re_V15.03.06.46_multi_TDE01 * US_AC5V1.0RTL_V15.03.06.48_multi_TDE01 * US_AC6V2.0RTL_V15.03.06.51_multi_T

Description

Tenda is a sup­plier of home and busi­ness net­work de­vices such as routers, switches, wire­less ac­cess points, and video sur­veil­lance equip­ment. Most of these de­vices in­clude web-based in­ter­faces that al­low users to per­form con­fig­u­ra­tion and man­age­ment op­er­a­tions, which are pro­tected by user­name/​pass­word au­then­ti­ca­tion to pre­vent unau­tho­rized mod­i­fi­ca­tions.

The web server bi­nary /bin/httpd con­tains an un­doc­u­mented back­door au­then­ti­ca­tion mech­a­nism in the lo­gin() func­tion. Initially, the func­tion fol­lows a nor­mal au­then­ti­ca­tion path us­ing MD5-based pass­word ver­i­fi­ca­tion. However, if au­then­ti­ca­tion fails, the func­tion in­vokes GetValue(“sys.rzadmin.password”) to re­trieve an al­ter­nate pass­word value from the de­vice con­fig­u­ra­tion. It then per­forms a di­rect str­cmp() com­par­i­son in plain­text be­tween the user-sup­plied pass­word and the con­fig­u­ra­tion-stored value. A suc­cess­ful match grants role=2 ad­min-level ac­cess and cre­ates a valid ses­sion.

The as­so­ci­ated user­name is not val­i­dated, so any pro­vided user­name will suc­ceed when paired with the back­door pass­word. This back­door au­then­ti­ca­tion mech­a­nism is not doc­u­mented or vis­i­ble through any ad­min­is­tra­tive in­ter­face.

Impact

Successful ex­ploita­tion grants full ad­min­is­tra­tive ac­cess to the de­vice’s web in­ter­face, re­gard­less of the con­fig­ured ad­min­is­tra­tor ac­count cre­den­tials. With ad­min­is­tra­tive con­trol, an at­tacker can re­con­fig­ure the de­vice, al­ter net­work set­tings, and dis­able se­cu­rity fea­tures, en­abling broader com­pro­mise of the lo­cal net­work.

Solution

Unfortunately, we were un­able to reach the ven­dor to co­or­di­nate this vul­ner­a­bil­ity. Since a patch is un­avail­able, we can only of­fer mit­i­ga­tion strate­gies. The fol­low­ing workarounds can help mit­i­gate this vul­ner­a­bil­i­ty’s im­pact un­til a fixed ver­sion is re­leased:

Disable re­mote man­age­ment on your de­vice If your de­vice sup­ports re­mote web man­age­ment, dis­able it. Disabling this fea­ture pre­vents at­tack­ers on ex­ter­nal net­works from ac­cess­ing your de­vice’s ad­min­is­tra­tive dash­board over the in­ter­net.

Restrict lo­cal net­work ex­po­sure Changing the de­fault LAN IP ad­dress may re­duce op­por­tunis­tic dis­cov­ery by au­to­mated scan­ners that tar­get known de­fault IP ranges. Note that this mea­sure does not pre­vent de­lib­er­ate or tar­geted net­work scan­ning.

Acknowledgements

Thanks to the re­porter who wishes to re­main anony­mous. This doc­u­ment was writ­ten by Bob Kemerer.

Vendor Information

213560

Filter by sta­tus:

Filter by con­tent: Additional in­for­ma­tion avail­able

Sort by:

References

https://​www.cisa.gov/​au­di­ences/​high-risk-com­mu­ni­ties/​pro­jec­tup­skill/​mod­ule5

https://​www.ten­dacn.com/​down­load/

https://​me­dia.de­fense.gov/​2023/​Feb/​22/​2003165170/-​1/-​1/​0/​CSI_BEST_PRAC­TICES_­FOR_SE­CUR­ING_Y­OUR_HOME­_NET­WORK.PDF

Other Information

Robostral Navigate: single-camera AI navigation | Mistral AI

mistral.ai

Thinking

Summary

Robostral Navigate is an 8B model that en­ables ro­bots to au­tonomously nav­i­gate com­plex en­vi­ron­ments us­ing only a sin­gle RGB cam­era, achiev­ing 76.6% suc­cess on un­seen R2R-CE bench­marks—out­per­form­ing multi-sen­sor ap­proaches while be­ing more ef­fi­cient. Built en­tirely in-house with sim­u­la­tion-trained data and to­ken-ef­fi­cient tech­niques, it gen­er­al­izes across ro­bot types and adapts to real-world ob­sta­cles un­seen dur­ing train­ing. The model com­bines point­ing-based nav­i­ga­tion with re­in­force­ment learn­ing for con­tin­u­ous im­prove­ment, paving the way for uni­fied em­bod­ied AI in ro­bot­ics.

Today we’re in­tro­duc­ing Robostral Navigate, our first model built for em­bod­ied nav­i­ga­tion. It’s an 8B model that takes RGB im­ages and a plain-lan­guage in­struc­tion and moves a ro­bot through an en­vi­ron­ment:

Leave the lobby, walk through the cor­ri­dor, en­ter the sup­ply room, and stop to face the sec­ond shelf.”

To per­form such tasks, other mod­els of­ten em­ploy depth sen­sors, LiDAR, or sev­eral cam­eras work­ing to­gether. Robostral Navigate uses only one or­di­nary RGB cam­era and no depth sen­sors, yet still achieves 76.6% on R2R-CE (Room-to-Room in Continuous Environments) val­i­da­tion un­seen, the bench­mark for fol­low­ing in­struc­tions in en­vi­ron­ments held out of train­ing. Consequently, it beats the best sin­gle-cam­era ap­proach by 9.7 points and the best sys­tem us­ing depth or mul­ti­ple cam­eras by 4.5 points, de­spite us­ing nei­ther.

Our model is de­signed for ro­botic nav­i­ga­tion, en­abling ro­bots to au­tonomously nav­i­gate com­plex en­vi­ron­ments, in­clud­ing of­fices, res­i­den­tial and com­mer­cial build­ings, and out­door set­tings.

Robostral Navigate run­ning fully au­tonomously in one long-hori­zon in­struc­tion route through a work­ing of­fice.

This tech­nol­ogy un­locks nu­mer­ous ap­pli­ca­tions across man­u­fac­tur­ing, de­liv­ery, lo­gis­tics, and hos­pi­tal­ity, mak­ing it one of the most in-de­mand ca­pa­bil­i­ties for our cus­tomers to­day. Give Robostral Navigate one in­struc­tion and it com­pletes the en­tire task on its own, mov­ing through a live space full of peo­ple and ob­sta­cles it was never shown, ca­pa­ble of adapt­ing to any set­ting.

Highlights

State-of-the-art per­for­mance on R2R-CE

State-of-the-art per­for­mance on R2R-CE

79.4% Success Rate on val­i­da­tion seen 76.6% Success Rate on val­i­da­tion un­seen

79.4% Success Rate on val­i­da­tion seen

79.4% Success Rate on val­i­da­tion seen

76.6% Success Rate on val­i­da­tion un­seen

76.6% Success Rate on val­i­da­tion un­seen

Operates from a sin­gle RGB cam­era, with no LiDAR or depth sen­sors

Operates from a sin­gle RGB cam­era, with no LiDAR or depth sen­sors

8B model, built in-house and trained en­tirely in sim­u­la­tion

8B model, built in-house and trained en­tirely in sim­u­la­tion

Runs on wheeled, legged, and fly­ing ro­bots, and gen­er­al­izes across ro­bot sizes

Runs on wheeled, legged, and fly­ing ro­bots, and gen­er­al­izes across ro­bot sizes

Robust to dif­fer­ences in cam­era in­trin­sics

Robust to dif­fer­ences in cam­era in­trin­sics

Token-efficient train­ing via pre­fix-caching

Token-efficient train­ing via pre­fix-caching

Navigation via point­ing

Given a task and a his­tory of ob­ser­va­tions, Robostral Navigate pre­dicts where the ro­bot should move next via point­ing: it in­fers the im­age co­or­di­nates of the tar­get lo­ca­tion in the ro­bot’s cur­rent cam­era view, to­gether with the de­sired ori­en­ta­tion upon ar­rival. Unlike com­mands re­ly­ing on met­ric dis­place­ments, point­ing makes the pol­icy nat­u­rally ro­bust to changes in cam­era in­trin­sics and world scale.

However, this method can­not han­dle cases where the tar­get lo­ca­tion lies out­side the cur­rent field of view. When point­ing does not ap­ply, the model falls back to dis­place­ments in the ro­bot’s lo­cal co­or­di­nate frame, such as:

Move 2 me­ters for­ward, 1.5 me­ters to the left, and turn 25 de­grees left.”

Built from the ground up

Robostral Navigate is built en­tirely in-house and does not rely on ex­ist­ing open-source VLMs.

The model is ini­tial­ized from our vi­sion-lan­guage model spe­cial­ized for ground­ing tasks such as point­ing, count­ing, and ob­ject lo­cal­iza­tion. Navigation emerges as a nat­ural ex­ten­sion of these ca­pa­bil­i­ties: once it un­der­stands where things are, it learns how to move.

We built an ef­fi­cient data gen­er­a­tion pipeline en­tirely in sim­u­la­tion. This en­abled rapid it­er­a­tion on the data, re­sult­ing in a dataset of ap­prox­i­mately 400,000 tra­jec­to­ries col­lected across 6,000 scenes.

Efficient su­per­vised train­ing

A key in­gre­di­ent of Robostral Navigate is an ef­fi­cient train­ing al­go­rithm based on pre­fix-caching. Using a tree-based at­ten­tion-mask­ing strat­egy, our method com­presses an en­tire episode into a sin­gle se­quence, en­abling train­ing on all time steps in a sin­gle for­ward pass while pre­vent­ing in­for­ma­tion leak­age be­tween time steps.

Compared to train­ing with one sam­ple per time step, our ap­proach re­duces the num­ber of train­ing to­kens by 22× while pre­serv­ing all of the learn­ing sig­nals. In prac­tice, this method trans­forms train­ing runs that would take months into runs that com­plete in days.

Online re­in­force­ment learn­ing

We lever­age our knowl­edge of post-train­ing LLMs at scale, us­ing on­line re­in­force­ment learn­ing, to boost the per­for­mance of Robostral Navigate. After the su­per­vised train­ing stage, we fur­ther im­prove the mod­el’s per­for­mance us­ing CISPO, an on­line re­in­force­ment learn­ing al­go­rithm. This en­ables the model to learn from trial and er­ror, re­cover from fail­ures, and ac­quire ex­ploratory be­hav­iors, ef­fec­tively mit­i­gat­ing the dis­tri­b­u­tion shift is­sue of vanilla be­hav­ior cloning. This alone im­proved the suc­cess rate by 3.2%. We are not see­ing any plateau­ing, so we are con­fi­dent that more train­ing and more ex­per­i­ments will con­tinue to push this num­ber up.

What’s Next

Robostral Navigate is only the first step to­ward a uni­fied em­bod­ied agent.

We be­lieve nav­i­ga­tion is a foun­da­tional ca­pa­bil­ity for gen­eral-pur­pose ro­bot­ics. By com­bin­ing large-scale sim­u­la­tion, ef­fi­cient train­ing, and strong ground­ing pri­ors, Robostral Navigate demon­strates that state-of-the-art em­bod­ied nav­i­ga­tion can be achieved with a com­pact model and a sin­gle RGB cam­era.

Start your jour­ney to em­bod­ied fron­tier AI, talk with our team.

BTW, we’re hir­ing!

The re­lease of our nav­i­ga­tion mod­els marks a sig­nif­i­cant step for­ward, but our jour­ney is far from over. Our am­bi­tion is to en­able ro­bots to au­tonomously nav­i­gate com­plex en­vi­ron­ments—of­fices, homes, com­mer­cial build­ings, and out­door spaces—and there’s a lot more work to do. We are ac­tively ex­pand­ing our ro­bot­ics team and look­ing for tal­ented re­search sci­en­tists and en­gi­neers who share our am­bi­tion.

If you’re in­ter­ested in join­ing us on our mis­sion to bring seam­less nav­i­ga­tion to ro­bots every­where, we wel­come your ap­pli­ca­tions to join our team!

By Théo Cachet, Arjun Majumdar, Srijan Mishra, Thomas Chabal, Chris Bamford, Elliot Chane-Sane, Benjamin Tibi, Ludovic Ho Fuh, Olivier Duchenne - AI Science Robotics

To add this web app to your iOS home screen tap the share button and select "Add to the Home Screen".

10HN is also available as an iOS App

If you visit 10HN only rarely, check out the the best articles from the past week.

Visit pancik.com for more.