Ｒｏｂｅｒｔ 🎯

this is the third supply chain incident this month. axios, vercel oauth, now your password manager. bitwarden cli got compromised. the attack didn't exploit a bug in bitwarden's code. it poisoned the build pipeline. the package that hit your machine came from the official npm account, correct signature, official source — and it was malicious. here's how it worked: attackers compromised bitwarden's github actions CI/CD pipeline (exact method not yet disclosed). malicious code was injected into bw1.js, shipped as @bitwarden/cli 2026.4.0 on npm. anyone who installed it ran the payload. what the payload harvested from your machine: github tokens (via Runner.Worker memory scraping) aws credentials (~/.aws/) azure, gcp tokens npm tokens (.npmrc) ssh keys claude/mcp config files all exfiltrated to attacker-controlled github repos, silently. then it got worse. it used your stolen npm token to find every package you have write access to, and injected a preinstall hook into those too. every developer who installs your packages becomes the next victim. exponential spread, fully silent. it also wrote itself into ~/.bashrc and ~/.zshrc for persistence. restarts don't help. why this is hard to fix: the attacker published poisoned versions using stolen tokens, so they look completely normal on npm registry. nobody knows which packages got hit second-hand. socket.dev is scanning continuously, finding them one by one. there's no "all clear" moment — it's a cat and mouse game. what you can do: if you had @bitwarden/cli 2026.4.0 installed: rotate everything now. github tokens, aws keys, npm tokens, ssh keys pin your cli tool versions. no ^ or * for anything that touches credentials revoke npm tokens you're not actively using use lockfiles — they catch hash mismatches if a package gets tampered browser extension and mcp server are not affected. cli only the uncomfortable truth: if you depend on a package and need updates, you have to trust the entire publish chain. "install from the official channel" used to be the safe answer. it isn't anymore. socket.dev/blog/bitwarden…

EVERY TOOL VIBE-CODERS SHOULD KNOW ABOUT: • @claudeai - AI for coding + debugging • @cursor_ai - AI code editor • @Replit - Cloud coding + instant deployment • @vercel - Frontend hosting + deployment • @github - Code hosting + Version Control • @NanoBanana - AI image generation • @midjourney - AI image generation (advanced) • @rainbowdotme - Web3 wallet integration • @RevenueCat - Subscription payment management • @Lovable - AI app and website builder • @rork - AI mobile app builder • @Dribbble - Design inspiration + discovery • @v0 - AI UI component generator • @zeddotdev - Fast lightweight code editor • @zencoderai - AI coding agent platform • @codeium - Free AI autocomplete • @tabnine - AI code completion • @supabase - Backend + database + auth • @ChatGPTapp - General AI assistant • @AskAider - Terminal-based AI pair programmer • @boltdotnew - Prompt-to-app generator • @TryNoahAI - AI builder for onchain apps • @antigravity - AI-powered agentic IDE • @QodoAI - AI code review + generation • @snykio - AI security code analysis • @piecesapp - AI code snippets manager • @mintlify - AI documentation generator • @perplexity_ai - AI search for dev queries • @gitlab - AI-powered dev workflows • @Sourcegraph - AI codebase search + understanding • @coderabbitai - AI-powered code reviews • @getconvex - Realtime backend for apps • @fal - AI media generation APIs • @openrouter - LLM API router • @exa_ai - AI search API • @cognition_labs - Devin AI software engineer • @canva - Design and graphics • @figma - Collaborative UI/UX design • @netlify - Hosting + deployment • @GoogleAI - Google AI Studio for prototyping • @openinterpreter - Open-source terminal AI • @warpdev - AI-powered terminal • @cline - AI coding agent for VS Code • @windsurf_ai - AI-powered code editor • @ManusAI - General AI agent for productivity • @v_computer - AI mobile app builder • @openclaw - Experimental AI agent framework • @GoogleDeepMind - AI research + dev tools what did I miss?