All of these attacks on language supply chains have me increasingly convinced that, at the very least, some sort of lightweight formal verification that "this package isn't doing anything obviously sketchy" is necessary. One promising avenue for this is something like Safe Haskell ( https://downloads.haskell.org/~ghc/7.8.4/docs/html/users_gui... ), which proves during compilation that a library function like
sign :: Privkey -> Message -> Signature
can't steal your private key and ship it off to some scammer. (Because sending your private key to a scammer requires network IO, and the type of this function implies it doesn't do network IO, and Safe Haskell guarantees that it doesn't use any "backdoors" to do IO.) It's not perfect, but it's a pretty good start in the right direction.
Qubes OS is the only solution that I know of that solves these issues right now.
It's a pity that using it forces you to not use your GPU, which is a blocker for many use-cases. I'm a huge fan of Qubes OS but I still don't use it on my main workstation at home for that reason (I do use it at work).
I'm not positive about this but keylogger actions have been picked up by anti-virus before. You might be able to decrease the chance you're caught as well by using this method. And what the other comment below me said about copying and pasting wallet details. This is actually an interesting attack against password manager usage. There are a lot of websites I use that autofill doesn't work correctly.
Virtually no one manually types in a wallet address. You copy/paste it.
> Once inside, the malware executed a malicious script that starts an infinite loop to capture a user’s clipboard data—with the goal of redirecting all potential cryptocurrency transactions to their wallet address.
Sounds like they were replacing the pasted addresses with their own when you paste it in the "transfer currency to..." fields.
