I was MIA for a couple of days, and I come back to this. Stunned. That's all I can say. Thank God I usually keep scripts disabled and I run Linux (the exploit appears to target Windows specifically). All you Tails users were safe, too. BTW, I have argued multiple times on this forum that hidden services are just as capable of serving malicious code as clearnet sites, but they have more incentive to do so, because they know their users (and operators) want to be anonymous for fairly important reasons. You should enable NoScript at least on all hidden services, while I believe in general browsing large clearnet sites is safer. The other take away from this is that we now know the FBI hasn't cracked Tor. They had to deliver an application-level exploit, and they were lucky that the FH admin was insecure enough to use Windows, which we know he did because of the version string in his PGP key.