Eek. Apparently liblzma (part of the xz package) has a backdoor in versions 5.6.0 and 5.6.1, causing SSH to be compromised.
https://www.openwall.com/lists/oss-security/2024/03/29/4
This might even have been done on purpose by the upstream devs.
Developing story, please take with a grain of salt.
The 5.6 versions are somewhat recent, depending on how bleeding edge your distro is you might not be affected.