Neat. Some steps that I take on my desktop linux on machines like my work machine that mitigate this attack:<p>- always run your browser in a restricted firejail. this prevents browser exploits from reading your ssh keys. It also makes it much harder to pivot to a root shell or maintain a persistent backdoor because the filesystem is deleted upon jail exit.<p>- don't install multimedia applications on sensitive machines. My default install is ubuntu server with i3-wm,vim,git and other dev tools. No mplayer, no vlc, no multimedia. I listen to music on my phone if I want to jam out. The work computer is for work.<p>- use snapshotted VMs for interacting with sketchy files such as word docs, xlsx, mp3s, etc.<p>- default deny rules in iptables to block inbound connections<p>- static arp entry for the default route to prevent MITM on lan if possible. I do this on my work machine where the network is well known.