> Keep in mind that X11 is a protocol, so the client might not be running as your user on your local machine, it could be a dedicated machine that's only running the client.
For an X server to be network exposed, you first have to either SSH forward it or remove the nowadays-default "-nolisten TCP", and then either get the xauth secret or have the user do 'xhost +'.
At that point I'm gonna say the attacker earned their keylogger access.
And you or your distro might consider patching out the TCP variant.
Saying 'xhost +menger' and being able to run graphical apps from my university's Sun server -- OPEN LOOK apps at that -- on my local Linux machine was peak 1990s computing.
For an X server to be network exposed, you first have to either SSH forward it or remove the nowadays-default "-nolisten TCP", and then either get the xauth secret or have the user do 'xhost +'.
At that point I'm gonna say the attacker earned their keylogger access.
And you or your distro might consider patching out the TCP variant.