I don't see those as realistic. Session interception largely isn't a thing anymore, unless we're talking about nation-state levels of attackers, and if the service is storing your password unhashed then I sincerely doubt their 2FA is configured in a secure way anyway.
I think it’s not a nation state actor thing. In 2018 British airways checkout got popped by a JavaScript being library being changed to eavesdrop credit cards. The same thing could easily happen with password forms
Granted they didn’t break the session in flight, but there is a low bar to achieve the same thing