2 years of one engineer's time is very cheap, compared to e.g. the NSA's CryptoAG scam. I'd say most likely a Chinese intelligence plant, kindly offering to relieve the burden of the original author of xz.
I got the same idea. On XZ dev mailing list there were a few discussions about "is there a maintainer?" 2-3 years ago. It's not hard to find these types discussions and then dedicate a few years of effort to start "helping out" and eventually be the one signing releases for the project. That's peanuts for a state actor.
