FIXED: https://scratch.mit.edu/projects/1314847707/#comments-544670668 There is a critical vulnerability with the editor that involves malicious SVGs being able to take control of your account and install malware on your computer. The problem comes from malicious SVG costumes. If a project contains one of these and you open the costume editor, the attacker can: -take full control of your Scratch account -run any JavaScript code they want -install malware on your computer if you’re using Scratch Desktop This only happens when the costume editor is opened. If you don’t open it, you’re not affected. If the project is yours or from someone you trust, it’s probably fine. Just don’t upload random SVGs. The Scratch Team already knows about this, so don’t spam the forums or people’s profiles. The best thing to do is calmly share the information while they work on a fix. My source says the exploit triggers when opening the costume editor, but to be extra safe, maybe avoid clicking “See Inside” on projects you don’t trust.
