I don't know what this xz thing is about, first time hearing it.
Someone pressured the maintainer of a compression tool used in a bunch of open source software to hand over the keys by citing burnout and offering to "help" then spent ~3 years slowly adding tiny changes that combined to form a backdoor in SSH that nearly compromised the entire internet or something.
It was only barely caught by accident because it made some thing some guy was doing that wasn't even related a fraction of a second slower.
Been all over the FOSSiverse for days, and the social engineering that was used on the xz maintainer reminded me personally of similar pressure certain people have applied to Ernest in most threads about kbin performance I have seen.