Note: To exploit this, an attacker would need to gain control of a trusted developer account, and they would leave evidence in a public feed. At time of writing, there is no known evidence of previous attack. Resolving this issue prevents future attacks.
CiviCRM versions 5.35.0 and earlier
CiviCRM version 5.35.1 and ESR version 5.33.3
Upgrade to the latest version of CiviCRM
Dave D for reporting the issue
Seamus Lee of JMA Consulting / CiviCRM Core Team and Monish Deb of JMA Consulting for fixing the issue
Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH for funding the fix