bleepingcomputer[.]com/news/microsoft/windows-10-themes-can-be-abused-to-steal-windows-accounts/
Anyone can package a theme to share, including settings, in Win10 Settings. Someone can set up a theme that causes Win10 to try and log in to a remote system. The article wasn't clear [to me anyway], whether Win10 would prompt you to log in, or if it would do it automatically, like when you visit the Microsoft site for your account. When/if Win10 does log in, it sends your login name and a hash of the password. The author said it took him about 4 seconds to crack a weak password.
While the author talks about different security measures, *to me* it seems simpler just to practice good hygiene -- Don't Download Themes from untrusted sites.