A while ago I saw that acme.sh now uses ZeroSSL by default.

"We now have another confirmation on Twitter that remote code is executed and a glimpse into what the script is... it appears to be benign."

It was not. Don't use acme.sh.

	▲	rsync 2 months ago \| parent [-]
		I went down the acme/HiCA/RCE rabbit hole a year or so ago and, while I don't remember the specifics, my feeling was that the RCE was not that dangerous and was put into place by greedy scammers thwarting the rules of cert (re)selling and not by shadowy actors trying to infiltrate sensitive infra ... Is there new information ? Was my impression wrong ?