This story is horrifying. There was a 3-year long operation to inject malicious code into XZ Utils package and make it a part of an OpenSSH backdoor. The analysis is still ongoing, but it's already obvious that this wasn't just a “black hat”. Current assumption is that this was backed by some government.