Afaict they are in fact waiting for CI to do the big rebuild on staging, in part because the Nixpkgs builds of 5.6.x never pulled down the malicious m4 scripts that inject the backdoor into the output binary (as they never used the release tarball directly from upstream but built from GitHub sources).
It's also worth noting that Guix is different here, as the grafts mechanism is well-established, so they can get a security patch in for xz without waiting for the mass rebuild, even if it's also in their stdenv or equivalent.
See: https://github.com/NixOS/nixpkgs/issues/300055
and: https://github.com/NixOS/nixpkgs/pull/300028
It's also worth noting that Guix is different here, as the grafts mechanism is well-established, so they can get a security patch in for xz without waiting for the mass rebuild, even if it's also in their stdenv or equivalent.