There is a vulnerability in the Plasma desktop that KDE developers are currently working to patch. The details are here.
https://www.zdnet.com/article/unpatched-kde-vulnerability-disclosed-on-twitter/
For the moment avoid downloading .desktop or .directory files and extracting archives from untrusted sources.
Also, if you discover a similar vulnerability, it is best to send an email security@kde.org before making it public. This will give us time to patch it and keep users safe before the bad guys try to exploit it.