Last month we moved the neon archive to a new server so packages got built on our existing server then uploaded to the new server. Checking the config it seemed I’d made the nasty error of leaving it open to the world rather than requiring an ssh gateway to access the apt repository, so anyone scanning around could have uploaded packages. There’s no reason to think that happened but the default in security is to be paranoid for any possibility. The security advisory is out, the archives have been wiped and all packages in User rebuilt so upgrade now to get the new package builds, or for extra security do a reinstall. The new User Edition ISO is out and I’ll update the website once that gets mirrored enough. Developer Editions packages are being rebuild now and go directly into the archives so you should start seeing those appear shortly as they are built. Sorry for the hassle folks, you wouldn’t want us to just hide it I’m sure.