The nixpkgs derivation does not rely on cmake so this change does not affect it.
In addition to the original OSS Sec post, blogposts detailing how the known backdoor payload is added have been published today, see Home · Midar/xz-backdoor-documentation Wiki · GitHub and xz/liblzma: Bash-stage Obfuscation Explained - gynvael.coldwind//vx.log (it’s an interesting read anyway). That should help to reproduce and understand the process yourself if you want gain confidence.
For packages using pre-built binaries, I have checked (using GitHub - delroth/grep-nixos-cache: Finds strings in a large list of cached NixOS store paths) the Linux x86_64 packages of the current nixpkgs unstable channel available in the cache. I have not been able to find a match for the known backdoor payload.
