Yeah, you can also check it by enabling the backdoor condition against a problematic binary:
$ nix build -f '<nixpkgs>' xz.out --out-link before
$ nix build --impure --expr 'with import <nixpkgs> {}; (xz.overrideAttrs (oa: { env.RPM_ARCH = "x86_64";})).out' --out-link after
$ ls -lh before/lib/liblzma.so.5.6.1 after/lib/liblzma.so.5.6.1
-r-xr-xr-x 2 root root 258K Jan 1 1970 after/lib/liblzma.so.5.6.1
-r-xr-xr-x 2 root root 210K Jan 1 1970 before/lib/liblzma.so.5.6.1
40 KB difference. And one of then contains malware _get_cpuid calls:
$ nix-shell -p binutils-unwrapped
$$ diff -u0 <(nm --format=just-symbols before/lib/liblzma.so.5.6.1) <(nm --format=just-symbols after/lib/liblzma.so.5.6.1)
--- /dev/fd/63 2024-03-31 10:02:48.977464772 +0100
+++ /dev/fd/62 2024-03-31 10:02:48.977464772 +0100
@@ -27,0 +28,2 @@
+__tls_get_addr@GLIBC_2.3
+_cpuid
@@ -28,0 +31 @@
+_get_cpuid
Thus by default at least those 40KB of malicious payload was not included in nixpkgs.
