Technically, the backdoor is in xz-utils, and affects sshd when it is linked into sshd at runtime, as happens in most Linux distributions. The backdoor could conceivably be designed to affect other programs in addition to sshd. (Of course, affecting sshd is bad enough).

It's a pretty sophisticated "supply chain" attack. Sadly, the upstream xz-utils project maintainer is either complicit or compromised.

nostr:note1mqvnsk7me3wt3xd2pqyu04chlvygdphkt5p8sm56wxa28agxtc5stt2l5q