@pmdj @saagar I don't think code signing and library validation would have prevented this attack. My understanding is that sshd intends to load liblzma (perhaps indirectly) and that the malicious code in liblzma is introduced by subverting the legitimate build process. No unsigned code being executed, no unauthorized libraries being loaded.

The mechanism by which code inside liblzma can interfere with other parts of sshd might be more difficult with other Apple security protections. But that might only be a speed bump, not a wall.