I took Meta's TRIBE2 model and built a tool to help y'all analyze your videos' viral potential before you post them been building this for last 2 weeks how it works: > you upload your vids > you see the potential brain response > it gives you the enagement graph of your video > recommends you how to edit it better > highlights brain areas your video triggers most > supports multiple videsos comparison (so you can do A/B pre-tests of multiple cuts) and more it runs locally on your computer - fully open-sourced GtiHub repo (v1 / MVP) is dropping tomorrow save this post to come back & grab it for free feel free to follow to not to miss it s/o to my fellow builder Alex from @youraipulse for hopping onto this project with me

this is the third supply chain incident this month. axios, vercel oauth, now your password manager. bitwarden cli got compromised. the attack didn't exploit a bug in bitwarden's code. it poisoned the build pipeline. the package that hit your machine came from the official npm account, correct signature, official source — and it was malicious. here's how it worked: attackers compromised bitwarden's github actions CI/CD pipeline (exact method not yet disclosed). malicious code was injected into bw1.js, shipped as @bitwarden/cli 2026.4.0 on npm. anyone who installed it ran the payload. what the payload harvested from your machine: github tokens (via Runner.Worker memory scraping) aws credentials (~/.aws/) azure, gcp tokens npm tokens (.npmrc) ssh keys claude/mcp config files all exfiltrated to attacker-controlled github repos, silently. then it got worse. it used your stolen npm token to find every package you have write access to, and injected a preinstall hook into those too. every developer who installs your packages becomes the next victim. exponential spread, fully silent. it also wrote itself into ~/.bashrc and ~/.zshrc for persistence. restarts don't help. why this is hard to fix: the attacker published poisoned versions using stolen tokens, so they look completely normal on npm registry. nobody knows which packages got hit second-hand. socket.dev is scanning continuously, finding them one by one. there's no "all clear" moment — it's a cat and mouse game. what you can do: if you had @bitwarden/cli 2026.4.0 installed: rotate everything now. github tokens, aws keys, npm tokens, ssh keys pin your cli tool versions. no ^ or * for anything that touches credentials revoke npm tokens you're not actively using use lockfiles — they catch hash mismatches if a package gets tampered browser extension and mcp server are not affected. cli only the uncomfortable truth: if you depend on a package and need updates, you have to trust the entire publish chain. "install from the official channel" used to be the safe answer. it isn't anymore. socket.dev/blog/bitwarden-cl…