A malicious Obsidian community plugin was weaponized to deliver Phantom Pulse, a remote access trojan that targets the exact file types developers and knowledge workers keep in their vaults: SSH keys, .env files, browser cookies, and project notes containing API tokens. The plugin shipped through the standard community plugins flow, which means anyone who installed it during the window between publication and takedown received the payload through the same trusted-by-default channel they use for syntax highlighting and Kanban boards. This is not a novel exploit. It is the same supply chain pattern that has hit npm, PyPI, the VS Code marketplace, and Chrome extensions. What makes the Obsidian case worth examining is the threat model gap: most teams treat their note-taking tool as a productivity app, not a code execution surface. Obsidian plugins run as Node.js modules with full filesystem access. So do VS Code extensions. So do Cursor extensions.…