Firstly, thank you for making me aware of this! "It also helps that it really only made it to the public through Debian unstable and testing."
According to this article, https://thenewstack.io/malicious-code-in-linux-xz-libraries-endangers-ssh/, xz is a "core Linux compression utility". I wasn't aware. So any unstable/testing distro is vulnerable. "Red Hat was first to break the news of the boobytrap." Here's the pkg & version info for those who want to do a quick system check. Package: xz-utils Version: 5.6.1+really5.4.5-1 Refer to full Debian bug report => https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024&utm_source=the+new+stack&utm_medium=referral&utm_content=inline-mention&utm_campaign=tns+platform The most troubling aspect of this malware is this: "I count a minimum of 750 commits or contributions to xz by Jia Tan, who backdoored it. This includes all 700 commits made after they merged a pull request in Jan 2023, at which point they appear to have already had direct push access, which would have also let them push commits with forged authors. Probably a number of other commits before that point as well." So there might be more malware lurking and there might be more security fallout.