[ShivShankaran]

The malicious package uploads your ssh private keys to it's server. This is extremely concerning to people that may have accidentally installed.

Judging from the package installation stats this was installed around 2,500 times

[bentley]

Good reason to get a Yubikey or similar, and use it to generate WebAuthn‐based SSH keys that can’t be used once exfiltrated. (“ssh-keygen -t ed25519_sk”)

[yjftsjthsd-h]

Encrypting keys with a passphrase would also help.

[jacquesm]

Yes, but once an attacker has root on your systems they may well install something that captures that passphrase so a chunk of hardware that you have with you would seem to offer some extra protection.

[rsj_hn]

Fortunately ssh has forward secrecy, so if you are using the keys in your ssh client and don't use them after they are compromised, then your traffic remains secure. However if these keys are used in an ssh server and someone has marked those keys as trusted, potential issues remain. Unfortunately ssh does not have the PKI infrastructure of ssl to revoke keys.

But an ssh server (or any other server) should not also be used as a development environment that is pulling dependencies (if you are developing a server, then you should be using dummy keys and doing the development in a non-production environment).

[charcircuit]

>Unfortunately ssh does not have the PKI infrastructure of ssl to revoke keys.

It does, but very few people use it.