In theory, the issue should have been fixed by now. Cavallarin said he notified Apple of the vulnerability on February 22nd, and that was supposed to have been resolved as of macOS 10.14.5. He said it wasn't, though, and that Apple had stopped responding to his emails. He was publishing the flaw after giving Apple 90 days to address the issue.

We've asked Apple for comment. The chances of inadvertent exposure aren't high when you'll have to open a ZIP file as well as whatever's inside the network share, but this could trip up people who aren't familiar with either remote shares or the risks of unsolicited files. It also underscores the risks of explicitly trusting certain network environments, even if there's often a good reason for it.