This was able to happen because KDE themes run arbitrary code written in Bash in order to change the behavior of KDE.
After reading this article, I had a few questions about Cinnamon:
- Do Cinnamon themes run arbitrary code in a similar way to how KDE themes work, or not (at the cost of being less powerful)?
- If they do, is the code at least written in a safer language that is harder to screw up in (and has a smaller attack surface) rather than using shell scripts?
- To what extent are Cinnamon themes / spices monitored to make sure nobody uploads anything malicious on there?