Re: What about the culprit
xz
is maintained by one person, whilst being used practically everywhere. A person naming themselves 'Jia Tan' started contributing useful patches, and generally helping out, so the maintainer gradually started trusting them. At some point, whoever was operating the 'Jia Tan' account, slipped this backdoor in as an unrelated change, and it got passed downstream to distros.
So there is definitely a culprit, and it's the person, or persons, behind the Jai Tan account, who deliberately preyed on the overworked maintainer to insert malicious code. Whoever they are, they're clearly skilled at social engineering. There's no way to tell they're a nation-state or just an amateur, but 'Jai Tan' almost certainly isn't their real name.