Yes, something like the https://slashdot.org/
approach (report+quote) is really useful, not only because links sometimes end up being broken.
And yes, selling your extension to malware guys sucks.
I wonder what could prevent that... Chrome auto-disabling an extension once the owner changes, so that the user has to enable it again manually? But then some bad guys could try to just 'lease' the extension from the owner, abusing it without a change in ownership. But that would probably be limited to countries like Russia, where it's not likely to suffer the consequences if you distribute malware to people outside of Russia. (Yes, I read in this case it's probably Turkey, not Russia.)