Every time one of these comes up, I have similar thoughts. A threat actor is in the position to pull off a large-scale supply chain compromise, and the best thing you can think of to do with that is also the thing that will guarantee you are discovered immediately? Mine crypto on the damn CPU, or publicly post the victim's credentials to their own GitHub account?

On one hand, I cannot accept that the actors that we see who pull these off are the best and brightest. My gut tells me that these attacks must be happening in more subtle ways from time to time. Maybe they're more targeted, maybe they're not but just have more subtle exfil mechanisms.

On the other, well we have exactly one data point of an attempt at a more subtle attack. And it was thwarted right before it started to see wide-spread distribution.

But also there was a significant amount of luck involved. And what if it hadn't been discovered? We'd still have zero data points, but some unknown actor would possess an SSH skeleton key.

So I don't know what to think.

I like this aspect of cryptocurrency, in that it creates an incentive for attackers to research and burn 0-days for a lesser harm like coin mining.

> My gut tells me that these attacks must be happening in more subtle ways from time to time.

Dual_EC_DRBG plus TLS Extended Random come to mind.