Although paypal hasn't yet responded to my "shouting", it seems they have just added an automatic redirect from 'secure' to 'www' so that should minimise the damage for people affected by this.
I actually downloaded a new osc install 2 days ago, so it still hasn't been updated (looks like it hasn't been updated at all for quite some time now).
by the way, the reason for my reinstall was that I was hit by a variant of the Santy worm, which 'defaces' websites (i.e changes all the files on your server to a nonsense 'you have been defaced' page. Although the worm primarily seeks out servers running phpBB (which was also installed on my machine), the actualy problem (as far as I understand it) are security issues in PHP. It's very well posible that OsCommerce sites are also at risk.
So, update your PHP version asap if you want to prevent a nightmare.
:rolleyes: