@modrinth https://xeiaso.net/blog/OVE-20221017-0001 seems to be a good succinct description of the situation.
@modrinth Frankly, this seems to me to be something-like-a-vulnerability since forever: using polymc gave code execution on your desktop to whoever runs the metadata server, without leaving any verifiable audit traces (something like binary transparency logs could be used to leave indelible audit traces of all versions of meta files that were ever used by clients). If I understand the related threads on twitter correctly, then metadata server would be contacted without explicit user request when "shit updates itself" (https://github.com/NixOS/nixpkgs/issues/196460#issuecomment-1281510701), so the rate at which that happens is likely nontrivial (so acquiring access to the metadata server would be valuable from the POV of creating a botnet).