Wow I wonder how many other npm and pypi packages are out there that started out as good simple solutions for a real problem and have now been migrated to become evil malware.
This is why Qubes OS exists, providing security through strong hardware isolation. The attacker would only get the access to an empty VM. Split-ssh seems particularly relevant here: https://forum.qubes-os.org/t/split-ssh/19060
Another way is to use a hardware key for your ssh keys. I use a yubikey for ssh and for encrypting my passwords (via passage). Of course they could still steal my session tokens or try to backdoor my browser to catch my passwords when I enter them, but its a higher bar to clear.
reply