If the malicious-npm-package-of-the-week is reading arbitrary files on your workstation, isn't it usually able to run git clone/push/whatever with your current credentials anyway?
Yes, but also no. For example in GitLab a user who’s infected could push code to a branch. Then it could even make a merge request to pull that branch into main (if main is protected).
But then someone else on the team should have to manually approve that MR to allow it to be merged to main.
This kind of defeats the ability of malware to push stuff out automatically.
Malware running on your computer can engineer a situation where you would naturally press that without suspecting anything.
1. Malware logs you out of github.com
2. It waits for you to navigate to the login page
3. It initiates an SSH/signing operation requiring physical touch
4. You hit login on github.com, a 2nd FIDO operation is queued up
5. You press the yubikey button, confirming the SSH operation
6. "Nothing happens", so you press it again to log in
7. You're now logged in, and your SSH credentials have just been hijacked.
Or it could just inject itself into your shell profile, and do this the next time you ssh anywhere. You never really know what you're confirming so Yubikey's threat model implicitly depends on the host device being trustworthy.
This is why hardware wallets for crypto have a physical display to confirm the address and the amount before signing the transaction.
But then someone else on the team should have to manually approve that MR to allow it to be merged to main.
This kind of defeats the ability of malware to push stuff out automatically.