The maintainer of xz was pressured into adding a new, unknown maintainer because he was alone and most likely unpaid. Had this critical piece of software been well-funded and the maintainer well-compensated, he probably never would've added the maintainer.
Regardless, I'm not sure how an antivirus would help here. This was a component upon which many others were built. How would this have been detected heuristically? Maybe somebody with a deeper understanding can also weigh in whether SELinux could've helped here, but if it's a lib*
, I guess not.
IMO the major problem is upstream: fund critical components. If you work in an org using opensource (and I bet you do), try and get them to set aside some kind of budget for opensource projects they use. For example a simple 100€ distributed across selected projects every month or every year. Or more, whatever.. just something.
Also probably reproducible builds would help. The distributed archives should not differ from that of multiple build services.