For those not in the know: aussie man explains. A KDE Plasma 6 global theme deleted a user's files. Global themes may contain arbitrary Javascript code, and a bug (using a library written for Plasma 5) caused it to essentially run rm -rf /*, Steam-style. KDE have since removed the theme and are considering next steps to warn the user that the "official" KDE store contains user-submitted content, and that some addons may contain potentially dangerous code.
I still remember that video I watched where a line in the Steam code back in the day was titled SCARY!!!!! and it was rm -rf $STEAMROOT. This nuked a guy's computer because short answer $STEAMROOT was actually / root, long answer here's the video. This nuked both his PC and his external drive that is some pretty bad code but this JavaScript code is up there
That's the issue I linked. The problem was that at some point a script executed rm -rf "$STEAMROOT/*", but did not make sure that $STEAMROOT was set. If for some reason it was empty, the path became /* after substitution.
Seriously though we need to work on improving security. A theme probably shouldn't be running code and if it is it needs to be sandboxed with its only access being an API
I know I'm late with this but it's not just a theme. It's a global theme. Those need to run code, so they really can't be sandboxed the same way a regular theme can be
People in one of the other threads were speculating that it is widgets, or one theme that is able to do multiple configurations. Really should be containerized or something, tho.
Setting themes do mant things and they are not like adding a colorscheme or so. Like there are tweaks that comes wuth themes which needs shell access to heavily modify the desktop
On the contrary, in my opinion if they are clearly labelled as a joke, they are a great way for people who don't understand them to ask why and, in the process, being a little more informed on what not to do and what it's dangerous.
Especially because there's really no risk of emulation in this case.