diff --git a/README.md b/README.md
index 32acc78..00bf37e 100644
--- a/README.md
+++ b/README.md
@@ -49,6 +49,7 @@ The following are not in scope:
 - Set all default container policies to `reject`, `signedBy`, or `sigstoreSigned`
 - Remove SUID-root from [numerous binaries](https://github.com/secureblue/secureblue/blob/live/files/scripts/removesuid.sh) and replace functionality [using capabilities](https://github.com/secureblue/secureblue/blob/live/files/system/usr/bin/setcapsforunsuidbinaries)
 - Disable Xwayland by default (for GNOME, Plasma, and Sway images)
+- Mitigation of [LD_PRELOAD attacks](https://github.com/Aishou/wayland-keylogger) via `ujust toggle-bash-environment-lockdown`
 - (Non-userns variants) Disabling unprivileged user namespaces
 - (Non-userns variants) Replacing bubblewrap with bubblewrap-suid so flatpak can be used without unprivileged user namespaces
 
diff --git a/files/system/usr/share/ublue-os/just/60-custom.just b/files/system/usr/share/ublue-os/just/60-custom.just
index 747e57e..ddfa827 100644
--- a/files/system/usr/share/ublue-os/just/60-custom.just
+++ b/files/system/usr/share/ublue-os/just/60-custom.just
@@ -264,3 +264,61 @@ toggle-xwayland ACTION="prompt":
       fi
     fi
 
+# Toggle bash environment lockdown (mitigates LD_PRELOAD attacks)
+toggle-bash-environment-lockdown:
+    #!/usr/bin/bash
+    BASH_ENV_FILES=("$HOME/.bashrc" "$HOME/.bash_profile")
+    echo "${b}WARNING${n} This will overwrite your .bashrc and .bash_profile."
+    echo "This is needed to ensure the mitigation is effective."
+    echo "Do you understand?"
+    echo "Please type in \"YES I UNDERSTAND\" and press enter"
+    read ACCEPT
+    if [ "$ACCEPT" == "YES I UNDERSTAND" ]; then
+      if lsattr "${BASH_ENV_FILES[0]}" 2>/dev/null | grep -q 'i'; then
+        echo "Bash environment '(${BASH_ENV_FILES[@]})' is locked down. Unlocking it."
+        for file in "${BASH_ENV_FILES[@]}"; do
+            pkexec chattr -i "$file"
+        done
+      else
+        echo "Bash environment '(${BASH_ENV_FILES[@]})' is unlocked. Locking it."
+        echo "
+    # .bashrc
+
+    # Source global definitions
+    if [ -f /etc/bashrc ]; then
+        . /etc/bashrc
+    fi
+
+    # User specific environment
+    if ! [[ "\$PATH" =~ "\$HOME/.local/bin:\$HOME/bin:" ]]; then
+        PATH="\$HOME/.local/bin:\$HOME/bin:\$PATH"
+    fi
+    export PATH
+
+    # Uncomment the following line if you don't like systemctl's auto-paging feature:
+    # export SYSTEMD_PAGER=
+
+    unset rc
+          " > ~/.bashrc
+
+        echo "
+    # .bash_profile
+
+    # Get the aliases and functions
+    if [ -f ~/.bashrc ]; then
+        . ~/.bashrc
+    fi
+
+    # User specific environment and startup programs
+        " > ~/.bash_profile
+
+        for file in "${BASH_ENV_FILES[@]}"; do
+            pkexec chattr +i "$file"
+        done
+      fi
+    else
+      echo "Capitalization matters when you type \"YES I UNDERSTAND\""
+    fi
+
+    
+