I know that keyloggers primarily work by logging key presses, either through software or hardware. And some will also check for clipboard contents.
But can a keylogger (or some other malware) intercept the data when a password manager autofills a password or other field?
Offline Password manager autofills can work in two ways (at least most of them):
Both these solutions have their fair share of advantages which are listed below, but before anything it's important to note that - nothing is 'perfectly secure' from a decently featured keylogger
What does this mean? Well. By definition, a keylogger is generally assumed to be software that captures keystrokes. Now it'd be part of this program's functionality to record any keystrokes - so it would capture all passwords entered by a password manager that simulated keystrokes. However, there are other types of password managers that don't do this. But today, many 'commercially' sold keyloggers even include the capability to take screenshots at particular intervals of time and save all the contents of the clipboard to a file. The last bit is important, because it sort of renders even password managers that use the clipboard to fill in these forms useless.
But.
Here's the thing - password managers aren't meant to prevent keyloggers from capturing your data as this answer points out well. Quoting directly:
"The point of keepass is not to prevent keyloggers. (Granted incidentally it will almost prevent hardware keyloggers; someone inserting a keylogging device between your keyboard and computer will not be able to observe a password you used once via cutting and pasting."
So the real solution to preventing these attacks is to monitor your system for any keyloggers or use some sort of AV solution. All of this, you've stated pretty well in your question. So:
But can a keylogger (or some other malware) intercept the data when a password manager autofills a password or other field?
The answer to this is yes. Since we've already spoken about how keyloggers might steal passwords when they're being filled, the simplest type of malware that fits this question would be a malicious browser extension. It's simple to write a nefarious extension that saves all entered form data or sends it to a C&C server. In fact, you might even give it permission (because Chrome in question just asks you for permission during installation and you're likely to click through all requested perms without really reading them. But again, who does?)
Or if you'd like to put in a bit more effort, malware could also intercept and log all network traffic and then search the decoded output for any password fields. The real kicker here is that since it's on your device, you won't even know that you are being MITM'ed.
