I don't have deep thoughts on this except "managing a FOSS project is hard and there's a highly profitable corporate ecosystem depending on stressed FOSS programmers that make nothing off their work." Informally-run projects by burnt-out people are ripe for exploitation by social engineering. It seems right now like somebody took advantage of that. The original maintainer, Lasse Collin, does not seem to have had any involvement except trusting the wrong person to try to keep his project maintained.
https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.html
When this was posted, nobody cared about how Lasse Collin was doing. Today everyone has an opinion, because they're threatened or inconvenienced, but when things are going well, the hard work of running a prominent project is taken for granted.
I hope he's okay.