FYI for whoever is reading this: it wasn't just a theme, but a Global Theme: it can include a Plasma Style, a color scheme, an icon theme, a panel layout template, an SDDM theme, wallpapers and widgets. Widgets are capable of running arbitrary code, just like GNOME extensions.

Here's the response article from one of our main developers: http://blog.davidedmundson.co.uk/blog/kde-store-content/

In the short term we need to communicate clearly what security expectations Plasma users should have for extensions they download into their desktops.

We need to improve the balance of accessing third party content that allows creators to share and have users to get this content easily, with enough speed-bumps and checks that everyone knows what risks are involved.

Longer term we need to progress on two avenues. We need to make sure we separate the "safe" content, where it is just metadata and content, from the "unsafe" content with scriptable content.

Then we can look at providing curation and auditing as part of the store process in combination with slowly improving sandbox support.

I was installing themes and I did see that one, but I didn't like it. I dodged a bullet that day and I didn't know it.

yup yup yup. didnt steam also have some "fun" rm -rf bug a few years ago? proper backups and sandboxing go a long way

Oofta. Theirs no reason a theme should be allowed to do this.