Should be noted that a lot of companies have absolutely no idea what was actually stolen due to insufficient logging.

Talking to the threat actor usually means getting some of the required info for GDPR.

He claims the blast radius is bigger, not just Linux. He also claims to be in talks with Apple. So the educated guess would still be openssh

Honestly, for closed source software the POCs are also immediately available. Lots of threat actors just use patch diffing.

These days vulnerabilities are at times also patched with other non-related commits to conceal what exactly has changed.

Because you’d need perfect infosec to pull this off