I suppose if there was ill intent, they would have silenced the seller with a NDA. It would be silly to let the seller sink your nefarious plan by letting the world know that ownership has transferred.
There's plenty of people that simply won't know ownership has changed because they just consume the published extension. They're clearly maintaining two sets of code, one for github and one for publishing extensions; nefarious is a strong word, it is at least suspect.
As far as an NDA goes, that's signaling to the current open-source maintainer that something nefarious is afoot. How would an NDA work? The maintainer hands other their GH account for the new party to commit under? The extension suddenly goes closed source? The maintainer doesn't acknowledge the community at all and rubber stamps anything the new party wants to commit the repository?
It'd be far easier to publicly take over maintaince, do good for a month or so, then silently publish the malware. That was probably the best route here; the maintainer was going to donate most of the monry they received back to the Turkish developers if they did a good job) and they'd have passed the transitory wave of scrutiny from seasoned devs like gorhill.
As far as an NDA goes, that's signaling to the current open-source maintainer that something nefarious is afoot. How would an NDA work? The maintainer hands other their GH account for the new party to commit under? The extension suddenly goes closed source? The maintainer doesn't acknowledge the community at all and rubber stamps anything the new party wants to commit the repository?
It'd be far easier to publicly take over maintaince, do good for a month or so, then silently publish the malware. That was probably the best route here; the maintainer was going to donate most of the monry they received back to the Turkish developers if they did a good job) and they'd have passed the transitory wave of scrutiny from seasoned devs like gorhill.