Playbooks
Step-by-step recovery and audit procedures. Optimized for someone who just realized they're in trouble.
| Scenario | Playbook |
|---|---|
You ran npm install on a package that turned out to be malicious |
if-you-installed-a-bad-npm-package.md |
Your ~/.npmrc token was on disk when malware ran |
if-your-npm-token-leaked.md |
| Your GitHub PAT was on disk when malware ran | if-your-github-pat-leaked.md |
| An MCP server you installed turned out to be malicious | if-an-mcp-server-was-malicious.md |
A package's postinstall / binding.gyp script ran on your machine |
if-you-ran-malicious-postinstall.md |
| Your local AI coding agent (Cline / Cursor / Claude Code / …) was exploited | if-your-local-ai-agent-was-exploited.md |
| A production web app had an exploited RCE / auth-bypass / SSRF | if-your-webapp-was-compromised.md |
| You need to rotate AWS / GCP / Azure / Kubernetes creds | rotating-cloud-credentials.md |
| You inherited a vibe-coded repo and need to audit it | auditing-a-vibe-coded-repo.md |
How to use a playbook
- Identify the matching scenario above.
- Open the playbook. Each starts with "Do this first (60 seconds)" — execute it without reading further.
- Then work through "Triage," "Rotate," and "Verify."
- If multiple playbooks apply, do "Do this first" for all of them, then work each in parallel.
Time is the enemy. Stolen npm tokens publish malicious packages within minutes. Stolen GitHub PATs flip private repos public in seconds. Stolen cloud creds spin up crypto miners on your bill within hours.