The installer package happens to (reasonably) allow scripts to be run as part of the install/cleanup process. It’s an incidental bystander to the crime. Wasn't it supposed to be ultra secure? I could have sworn that was the reason given for why it was created in the first place.

Javascript: Second only to Flash as a vector for malware and viruses. Please be responsible journalists and just write a single article stating the M1 is no more or less vulnerable to malware, and leave these “Apple Silicon vulnerability“ framings to less reputable blogs. Apple never implied the M1 would be in any way more resistant to malware than Intel processors, and they bent over backward to make sure Intel code could run along side natively compiled M1 code to make the processor as irrelevant as possible.

It can’t possibly be news that a malware author changed a compiler flag - xCode practically begs all developers to also target Apple Silicon. A compiler target architecture is not remotely the same thing as a exploitable hardware target. It’s macOS that’s suffering the vulnerability, the same macOS that also runs on Intel. In none of these cases is the M1 chip exhibiting a vulnerability, other than macOS’ ability to cause code to be run upon it.

Every article about how M1 is now a malware target is stupid clickbait.