It's worse. Even if you DO know and trust the developer, in a year or two, they're probably going to get an email from a nice man who will want to buy their extension for $10,000, and they've long gotten bored of it, so why not?
I would hope that these days the popular extension devs would know about this type of attack and would guard against it by perhaps selling the extension code but shutting down the original extension page under their control so users have to choose to install the new company's extension. As a matter of fact, why won't Google/Mozilla prevent this by making an extension and a person's account inseparable, and have legal language in the ToS that says they can't sell the extension as-is with the install base to a new company? It would prevent so much.
loading story #42798679
loading story #42797405
loading story #42796814
loading story #42798647
loading story #42798063
Could turn off automatic updates so it won't matter who buys it
Can't you pin the extension version so it doesn't auto-update?