[whatgoodisaroad]

Keep in mind, in the really malicious cases where an extension has changed hands, they often just sell the credentials to the Google developer account, so this won't detect those cases.

[SunlitCat]

Is selling the whole developer account even allowed?

[Etheryte]

Many things are sold that are not allowed to be sold, hasn't stopped criminals yet.

[qwertox]

But are these developers initially criminals? I doubt so. And putting at risk associated accounts (same phone number for registration, recovery email address) isn't a comfortable game to play for most normal developers.

[asadotzler]

well, selling your installed base to someone you know to be evil may not be criminal, but it's certainly sleazy.

[r00fus]

Being sleazy is rewarded in capitalism.

[artyom]

All you need is to send your password, and a quick session to set up 2FA with the buyer's methods, update recovery settings, etc.

As long as you don't use that account for anything else, it's seamless.

Legalese isn't going to stop that.