What is the risk of a malware / virus infecting the operating system of a critical minority of node(s) performing transactions or verifications on this blockchain? Are there any mitigations in the blockchain or node software to prevent such an attack, or to allow for disaster recovery of the blockchain ledger as a result of such an attack?
This is a very valid concern. If a malware manages to infect the OS, the hypervisors (in case of virtualization), or other critical parts of nodes, there is not much that can be done. I believe almost all blockchains would have the same issue. Some hardening techniques may be used, but at the end, if there is a huge supply chain attack targeting a critical component of the nodes like the kernel, it seems unlikely that anything can be done.
On the other hand, if an attacker is able to mount such an attack, it is unlikely they would only target the Algorand blockchain, as opposed to targeting all the blockchains and all the critical services (financial services, governments, and so on).
Technologies like Intel SGX could in theory be used, but these technologies are not infallible either (Software Guard Extensions - Wikipedia).
On the other hand, what makes Algorand more resilient than many blockchains against such attacks is that the consensus protocol allows for very large amount of participation nodes (that other blockchains call “validators”). This is because the consensus protocol uses novel ideas such as sortition to ensure that its performance is essentially independent from the number of nodes. Even with million of nodes, we should expect similar performances as now.
Since those nodes are run by many different entities, with slightly different settings (different OS, kernel, virtualization, some with Docker some without, different clouds, …), this strongly mitigate risks that a significant portion of the supply gets into the hands of corrupted nodes.
This is turns ensures that the blockchain cannot fork and continue producing blocks.