The crazy thing about the xz issue was, that xz is not even a dependency of openssh, but of systemd. And the xz backdoor exploited the systemd integration of openssh. This exploit was invisible to people that tested plain openssh without one of the most common integrations into Linux.
