A recent malware campaign against Python developers is the latest example of the craftiness and resourcefulness of attackers who target the software supply chain, according to cybersecurity researchers. Victims of the “far-reaching” operation included individual developers who publicly wrote about their incidents, as well as members of Top.gg — a community for people who
What? You seriously think that ssh keys and 2fa is going to stop these attackers who btw originally did typosquatting for malicious packages on PyPi and from that article is sounds like they used something like evilginx or modlishka judging from the mention of session cookies.
Ssh keys don’t get compromised by stealing session cookies/mitm and correct use of 2fa defeats the attack. Putting 2fa only on login is how you get zingered by session theft