X (Twitter) accounts to follow
Build a dedicated list. Most supply-chain stories break here hours before the blog posts go up.
Vendors that ship advisories fast
- @SocketSecurity — first to spot most npm package compromises. Single best signal for npm.
- @snyksec — Snyk Security team. Broad coverage across npm, PyPI, Maven, etc.
- @StepSecurityIO — focuses on CI/CD and GitHub Actions supply-chain. Caught several of the qix and Shai-Hulud waves.
- @aikidosecurity — fast, detailed package compromise writeups.
- @wiz_io — Wiz research team; deep writeups on supply-chain and cloud incidents.
- @checkmarx — strong on PyPI typosquatting and slopsquatting.
- @reversinglabs — package reversing and advanced analysis.
- @ChainguardLabs — supply-chain hardening + sigstore.
Independent researchers
- @GossiTheDog (Kevin Beaumont) — general infosec broadcast, often first to amplify breaking incidents.
- @simonw (Simon Willison) — prompt injection, MCP, "lethal trifecta" framing. Best LLM-security commentator.
- @vxunderground — malware sample feed. Useful when you want to see what a payload actually does.
- @sethmlarson — PSF security developer-in-residence; coined "slopsquatting" with @AndrewN.
- @lirantal —
npqauthor, runs the Node.js security working group. - @RonMasas — Backslash Security; deep dives on AI/MCP attacks.
Vendors of the tools you use
Follow the security or product accounts for whatever you actually use:
- @AnthropicAI + @claudeai + @_catwu (Claude Code lead)
- @cursor_ai — Cursor releases and CVE notices
- @OpenAIDevs + @kevinweil
- @github / @githubsecurity
- @v0 (Vercel v0)
- @vercel
- @lovable_dev
- @stackblitz (Bolt)
- @replit
- @windsurf_ai
- @supabase + @kiwicopple
Official / government
- @CISACyber — CISA alerts. Slower than private researchers but authoritative.
- @GitHubSecurity — GHSA pushes.
How to set this up
- Create an X list called "Supply Chain" or "Vibe Security."
- Add the accounts above (or whichever subset matches your stack).
- Pin the list. Scan it once a day, ideally in the morning before you start writing code.
- If you don't use X, the same accounts mostly cross-post to Bluesky / Mastodon / LinkedIn.
What to do when you see something live
- Don't panic. Most incidents are scoped narrowly.
- Check if you use the affected package/tool/MCP.
- If yes → ALERTS.md → matching advisory → matching playbook.
- If you're the first to spot it for this repo, open an issue with the
new-advisorytemplate.