I don't understand all the specifics around this but I know it's a big deal.
The xz command is on macOS and all Linux distributions so it's really serious.
The sad thing is that the original maintainer was being pressured to work on the repo when he was burnt out. Huge businesses depend on these kind of 1 person projects which is nuts. There shouldn't be this level of pressure on a solo developer to do the work when it's potentially just a hobby project.