_Please_ do not advise people to run `xz --version` or similar to check whether they're affected or not.
Right now, as far as I know, the analysis of the obfuscated malware is far from complete. There may be other triggers. There may be malware in older versions, because the attacker had commit access for years.
By running xz and asking it for its version, you're _running_ what could be more malware.
Instead, ask the system's package manager which version of xz is currently installed.