It interesting that this vulnerability has not had the flag raised in the wider Lisp community, since it also applies there.

Most of the packages and modules that the Lisp systems have are shipped as source code, and compiled on site. That suggests that innocuous importing of a internet sourced module can wreak havoc on your system just by loading it, you don't even have to run it.

Granted, it's not quite the same as having something like auto-complete drain your bitcoin wallet, but it's close.

Most every other eco system you actually have to run the code itself to be worried about an exploitation (which, mind, in today's world is a low bar, but a bar nonetheless).