Build a dedicated list. Most supply-chain stories break here hours before the blog posts go up.

Vendors that ship advisories fast

  • @SocketSecurity — first to spot most npm package compromises. Single best signal for npm.
  • @snyksec — Snyk Security team. Broad coverage across npm, PyPI, Maven, etc.
  • @StepSecurityIO — focuses on CI/CD and GitHub Actions supply-chain. Caught several of the qix and Shai-Hulud waves.
  • @aikidosecurity — fast, detailed package compromise writeups.
  • @wiz_io — Wiz research team; deep writeups on supply-chain and cloud incidents.
  • @checkmarx — strong on PyPI typosquatting and slopsquatting.
  • @reversinglabs — package reversing and advanced analysis.
  • @ChainguardLabs — supply-chain hardening + sigstore.

Independent researchers

  • @GossiTheDog (Kevin Beaumont) — general infosec broadcast, often first to amplify breaking incidents.
  • @simonw (Simon Willison) — prompt injection, MCP, "lethal trifecta" framing. Best LLM-security commentator.
  • @vxunderground — malware sample feed. Useful when you want to see what a payload actually does.
  • @sethmlarson — PSF security developer-in-residence; coined "slopsquatting" with @AndrewN.
  • @lirantalnpq author, runs the Node.js security working group.
  • @RonMasas — Backslash Security; deep dives on AI/MCP attacks.

Vendors of the tools you use

Follow the security or product accounts for whatever you actually use:

Official / government

How to set this up

  1. Create an X list called "Supply Chain" or "Vibe Security."
  2. Add the accounts above (or whichever subset matches your stack).
  3. Pin the list. Scan it once a day, ideally in the morning before you start writing code.
  4. If you don't use X, the same accounts mostly cross-post to Bluesky / Mastodon / LinkedIn.

What to do when you see something live

  1. Don't panic. Most incidents are scoped narrowly.
  2. Check if you use the affected package/tool/MCP.
  3. If yes → ALERTS.md → matching advisory → matching playbook.
  4. If you're the first to spot it for this repo, open an issue with the new-advisory template.