Note that if SIP is enabled (the default), "root access" does not mean full compromise. On macOS, root is far from being as privileged as it was in the old days of UNIX yore. (Even on Linux it does not have to be, but my impression is that on most distributions it probably still is.)

Just because you're root does not mean you get any entitlement you want, or arbitrary access to the whole filesystem, arbitrary memory access (a la /dev/(k)mem), or can replace the kernel just like that.

(That's also probably why you don't hear of iPhones being "rooted", but rather "jailbroken". Just being root on an iPhone wouldn't do that much.)

Make no mistake, this is still a privilege escalation attack and needs to be fixed.

I don’t need root access.. just your .ssh dir

Though you should keep your private keys protected by a pass phrase.

Top tip for people that use 1Password: I’ve discovered recently that you can run it as an ssh agent. That way your keys never leave the 1password app.

Either you're forced to type in your password 100 times a day (so the rootkit has to wait until you type it in) or you use ssh-agent and your decrypted key is in memory for all to see.

Indeed. Use the Mac’s Secure Enclave [1] or a Yubikey, preferably with Touch ID or touch confirmation on a YK.

https://github.com/maxgoedjen/secretive