It's painful, but I've grown distrustful enough of the ecosystem that I disable updates on every IDE plugin not maintained by a company with known-adequate security controls and review the source code of plugin changes before installing updates, typically opting out unless something is broken.

It's unclear to me if the code linked on the plugin's description page is in amy way guaranteed to be the code that the IDE downloads.

The status quo in software distribution is simultaneously convenient, extraordinarily useful, and inescapably fucked.