The attacker was very focused at what they did, so many distributions may be unaffected even if they ship 5.6 branch. For example on Arch Linux sshd is not even using liblzma. The author might’ve hidden more surprises, but for now there is no indication other commits were malicious. It’s possible they either used them to build reputation or the identity was stolen.
It’s also worth noting that xz was affected, but the person was active elsewhere too. Code they experimented with included LZ4, libarchive, zstd (Meta) and Microsoft docs. They didn’t commit to these repos, but the bullets might’e missed us by inches. They also worked with many unspecified proprietary repositories.
In general I’d say it’s best to let the dust settle and wait for the news from people, who are currently working on resolving the issue. Sensationalism isn’t serving anybody in this case. At worst it may open opportunities for FUD or be noticed by general population media.
Every time an exploit or attack happens that receives wide attention we are told it was "very sophisticated" one created by an army of uniformed people from an evil state. After the hype dies it turnes out that it was done by a bored 16 year old kiddy in grandmo's basement.
These two are not mutually exclusive. Perhaps wearing an uniform in grandma’s basement may be inconvenient, but don’t get carried away with the perfection level achieved in government agencies. It’s primarily a matter of organisation, funding and coördination, not personal skills.
The sophistication level is in this case in plain sight too. That’s not an opinion of anonymous TV expert: what the attacker done has been outlined and you can compare that to baseline.