If you use Signal's "Desktop" app and haven't updated it today, do that *now*.
(They just fixed a relatively-easily exploitable issue that could at least steal your messages, and possibly do much more.)
It appears as though if you've been attacked that way, you'll also get a message to your phone with the exploit code in a not-executed form too, so at least you'll know, but it could be too late then anyway.
@er1n Yup. It appears to be https://github.com/signalapp/Signal-Desktop/blob/development/js/modules/link_text.js#L14 plus the lack of escaping (they dropped it from https://github.com/uiureo/link-text/blob/master/index.js#L22).
The fix just linkifies already-escaped text: https://github.com/signalapp/Signal-Desktop/commit/bfbd84f5d1308cdfcb08a1727821f7103be151ea#diff-db048f75862bb27440664d61f13f9d1cR516
This is a personal Mastodon instance.