The xz package that has already entered the current F40 pre-release versions/variants and rawhide contains malicious code. This does NOT affect users of the Fedora releases (F38, F39 are thus not affected), but all users who use already F40 pre-release versions/variants or rawhide shall read this: ...
I'm on Void, and I had the malicious version installed. Updating the system downgraded xz to 5.4.6, so it seems they are on it. I'll be watching discussions to decide if my system might still be compromised.