software

Show HN: Mochi.js: bun-native high-fidelity browser automation library

Published: (May 9, 2026 at 10:01 AM EDT)
2 min read
Source: Hacker News

Source: Hacker News

Introduction

I’m sharing mochi.js – a Bun‑native, raw‑CDP browser automation framework. It’s designed to make programmatic browser use more effective by focusing on consistency and measured parity with regular traffic, purely from the JavaScript layer, against stock Chromium.

How It Differs from Typical Automation

Most browser‑automation tools rely on client‑side, line‑by‑line probes that are largely cosmetic. While they may look convincing, they have little relevance to real WAF or anti‑automation defenses.

Mochi.js targets what actually matters, enabling you to bypass captchas, WAFs, and many other defense mechanisms. In some cases it even outperforms Chromium forks because it doesn’t need to “lie.”

Technical Foundations

  • Built on a probe manifest derived from analysis of several WAFs, covering the most critical detection vectors.
  • Automatically solves Turnstile/interstitial challenges.
  • Achieves single‑digit FingerprintJS (FPJS) suspect scores and strong client‑side results.
  • Known limitations: browserscan and a few other tools that fundamentally conflict with WAF probing techniques.

Motivation

The current “bot detection” paradigm is fundamentally broken. For example, Turnstile’s script self‑destructs when a debugger tries to inspect the data it extracts from your hardware. The industry calls this “Security,” yet a script that deliberately controls what data your hardware emits is labeled “Malicious Actor” engaged in “Bot Evasion.”

I built a library that respects hardware reality. If that challenges your security model, it’s because the model relies on trespassing and secrecy.

Philosophy

Mochi is the opposite of WAF opacity—it’s a glass‑box solution:

  • MIT‑licensed, fully documented DAG, fingerprint manifest schema, and harvesting process.
  • Live benchmarks are publicly committed (e.g., on a Linux datacenter IP, Mochi scored suspect_score: 8 and bot: not_detected against FingerprintJS Pro v4).
  • Defaults to host‑OS matching: on Linux it uses privacy‑sensible Linux fingerprints, not Windows, because the OS signal is a genuine user indicator.

This demonstrates that WAFs aren’t blocking what most people think they are, raising questions about their actual behavior.

License & Availability

Mochi.js is completely free and open source under the MIT license. There is no affiliation with proprietary products, patched Chromium forks, or SaaS offerings.

  • GitHub repository:

Discussion

I’ll be here to discuss details, documentation, or any other questions.

Comments URL:
Points: 5
Comments: 1

0 views
#browser automation #Bun #CDP #JavaScript #Mochi.js #web scraping #WAF bypass
View source
Share:
Back to Blog

Related posts

Read more »

Bun ported to Rust in 6 days

Overview - Test coverage: 99.8 % of Bun’s pre‑existing test suite passes on Linux x64 glibc in the Rust rewrite. - The codebase is essentially the same, but Ru...