I just did: “rm -rf xz”

pacman -Syu
find / -name "*xz*"  | sort | grep -e '\.xz$' | xargs -o -n1 rm -i 
pacman -Qqn | pacman -S -

(and please, absolutely don’t run above as root. Just don’t.) I carefully answered to retain any root owned files and my backups, despite knowing the backdoor wasn’t included in the culprit package. This system has now “un-trusted” status, meaning I’ll clean re-install the OS, once the full analysis of the backdoor payload is available.

Edit: I also booted the “untrusted” system without physical access to the web, no gui, and installed the fixed package transferred to it locally. (that system is also going to be dd if=/dev/zero'd)