XProtect is separate from Developer ID certifcate revocation. In many cases, malware is not even code signed, so certificate revocation would do nothing.
> it does look like it was revoked in response to the original article, and not the other way around.
I was trying to figure out how long I had possibly been running the infected code. I was certainly in a state today where binaries were running with revoked signatures. What I couldn’t tell is if this state was only for a few minutes or hours, or if it was days or weeks.
If Apple only revoked the dev certificate (and possibly XProtect) today, that would make sense. But if it was revoked a ways back, then it would be concerning that it would require a reboot (with no prompting) for a regular user to fully kill the running background processes.
Actually, thinking about this further, if Apple had revoked the certificates before today, others would probably have noticed it and investigated given the “Move to trash” dialog and the strong assertion of “this is malware” in it.
No, Developer ID doesn't use a Certificate Revocation List:
https://lapcatsoftware.com/articles/revocation.html