I was the original author of a topic about a malicious plugin that's been closed.
It was mentioned there I should have reported it to firstname.lastname@example.org instead of posting. I should point out that I did that too, but the plugin wasn't removed for more than 8 hours after I sent the message. During that time, at least one admin saw my post in the forum and closed the thread but didn't remove the plugin, allowing dozens more victims to download the malicious plugin that gave an attacker complete admin-level control of their blogs.
Posting "such-and-such plugin is malicious" in the forum makes that text appear on the plugin download page, which appears to be the only way to alert visitors to the problem before it's removed. On the other hand, posts like that are prone to abuse or misunderstandings, and I can see why they're discouraged. But I don't think it's clear to most people what should be done instead. Something like a "Report Malicious Plugin" button shown only to longtime registered users that sends something to the top of the queue before all the other junk that's presumably sent to email@example.com, could be handy.
To throw out some other suggestions that would minimize the impact of malicious plugins:
- The site could flag newly created plugins. Something on the page could have indicated that the malicious "contact-form-73" plugin was only a couple of days old, and it could have appeared at the bottom of the search results.
- Any plugin uploaded by a recently registered author could also be flagged and lowered in search rankings.
- The site could allow authors to prove they own a plugin. In this case, the malicious plugin said "Author: takayukister", but that's the author of the real plugin, who didn't upload the malicious one. WordPress has that author's e-mail address on file and can send a message asking the author to verify that he really uploaded it.
- Two plugins with the same human-readable name should not be allowed in the directory.
- Newly created plugins with a small number of downloads should not appear in the results before long-established plugins with millions of downloads, because people choose the first thing they see with a reasonable name.