Andres Freund found that xz-utils is backdoored, but could not (despite the otherwise excellent analysis) get quite to the bottom of what the payload actually does.
What you would hope for to be posted by others: Further analysis of the payload.
What actually gets posted by others: “systemd is bad.”
Update: Good preliminary analysis.