<a href="https://archive.ph/AcfYR" rel="nofollow">https://archive.ph/AcfYR</a><p>TLDR: Compromised desktop using an "AI plugin" from Github, didn't use 2FA when accessing employer's remote password vault service, so all those other credentials compromised too.<p>Ideally, have 2FA on everything (not just any "vaults", but everything inside it too) and try to make sure nobody compromises <i>both</i> your computer and your other-device at the same time, whether it's a code-fob or a smartphone. Oh, and don't download sketchy stuff, but with supply-chain attacks these days that's getting a lot harder.<p>I find myself yearning for a "dumb" time-code on an air-gapped keyfob, plus a small device like a Raspberry Pi for a self-hosted password store that requires the fob-code for a very locked-down remote access. Encrypted at rest, too. Ultimately, I'm much more afraid of a sneaky pervasive software compromise than some <i>unusually</i> well-prepared thief.