Steve PurcellFirst example we at MELPA have seen of an #emacs package getting hacked (upstream of us, in GitHub): https://github.com/kubernetes-el/kubernetes-el/issues/383
If installed, loading this compromised #emacs library would trigger the embedded shell command. Not very subtle, but this should be a reminder to the dev community that plugins for even niche dev tools can be an attack vector.
Ashish Panigrahi@sanityinc Strange that the PR was merged without maintainer approval.
@paniash I commented on the issue — I think the attacker stole a github token via a privileged Actions run that was made without needing the maintainer's approval.