No, there is no consensus yet on when this started.
xz was already rebuild to mitigate the known issue (release manager created tarball contains code with a backdoor), github automatically created source tar does not contain it. Thus xz was rebuild from github source.
See commit from yesterday:
https://github.com/KaOSx/core/commit/ef3e86b6f8dbb4c78aade33d28f36bb5f9c9a2de
Tests had already been run if either xz package (in core or build) are effected by known backdoor, neither is.
But, not listed in the security link above is the fear that this malicious code injection has been going on much longer, so there is no use in going back to any other version. Another point, so far only deb & rpm can be effected by known backdoor, and distros that are doing a lot of linking with lzma, neither is the case in KaOS.