It looks like I already had #xz 5.6.1 on my Mac. Downgrade was already pushed into brew. Luckily, the code is only activated on x86_64 and Linux OS IIUC.
But to put things into perspective, FreeBSD does use the same library. Playstation OS is based off FreeBSD as well as ton of other things. Not that PS5 runs sshd or anything, just saying.
@lzap The compromised xz was included in a Microsoft C++ tool too.
https://github.com/microsoft/vcpkg/issues/37839
It's used not just on Linux, but also on macOS and Windows.
It makes me wonder how much of stuff like this is already out there "in the wild", especially in proprietary software (including permissive FOSS that was absorbed or relicensed), where people aren't auditing as much.