> I'm assuming you are using unique passwords per application.

Yes, absolutely, and I only use the web, no other kind of client, no apps etc.

Any browser extensions?

Ever used a friends computer to sign in?

Tree style tabs, adblock plus, umatrix, all as far as I know reputable and clean.

Don't use other computers besides this one for Twitter. The password is very long, generated, so impossible to guess and I have never moved it to another machine.

Probably time to shut down the machine in question, clone it and do a forensics run on the clone. Use a new machine temporarily.

Obviously other vectors are possible, but in the absence of knowledge it is likely appropriate to react in a secure by default way.

Yes, this is good advice.

If I didn't know you to be tech savvy, I'd assume the most likely culprit is that your desktop had been hacked and the tweet did in fact come it.

Out of curiosity which OS and browser?

Linux, fairly well hardened, Firefox with umatrix and adblock plus.

No Javascript unless expressly authorized making some kind of drive-by browser attack quite unlikely.