Could a private key from JavaScript WebCrypto resist a malware attack?
Extremely intelligent malware with root permissions (on a *nix client) can do just about anything, including redirecting /dev/random
or /dev/urandom
to something they control. If the malware can control the random number generation your computer uses to create TLS keys, then it can break the HTTPS communication.
If the browser is open and the user logged in, then malware with the ability to perform raw mem dumps would be able to find the key.
In short, if a user can do it, then a theoretical malware program can do it.
I suggest the question should not be is it possible for malware to... as malware with unrestricted power can do anything that you can do. Instead, the question is, what would it take for malware to...? From this perspective, we're not measuring what's possible, but what is probable.
The methodology you described sounds about as good as it can get (outside of using the user's password to lock the private key / shared secret so that the server doesn't have to receive, store, and transmit it). There is no such thing as perfect security.