alt Hacker News> Depends on the target and what you can get. Think about Bartender,
As I said in another comment, Bartender had no target! It was not an attack. An app was sold by one developer to another developer. End of story.
> If you know of someone specific you want to target who uses it
But you don't. And you don't in the case of Little Snitch either.
You can dream up a bunch of absurd hypothetical scenarios, but they are not the reality.
> Someone who wanted to target you
Nobody wants to target me. Nobody cares about me. I am insignificant.
> Bartender had no target! It was not an attack.
The point is that it shows it can happen. You’re a browser extension developer, surely you know how often it happens that developers of popular extensions are approached by shady businesses and sometimes do even sell.
> You can dream up a bunch of absurd hypothetical scenarios, but they are not the reality.
As someone else has pointed out to you, not hypothetical.
https://news.ycombinator.com/item?id=47699068
> Nobody wants to target me. Nobody cares about me. I am insignificant.
You give yourself too little credit. I know of several developers and other people with influence who use your extensions with complete trust. Compromising you means compromising them, which means compromising even more people. Jia Tan has aptly demonstrated you don’t need to directly attack your final target, only a link in the chain, even if it looks insignificant.