> surely you know how often it happens that developers of popular extensions are approached by shady businesses and sometimes do even sell.

Yes, developers of free extensions who sell for a pittance.

I don't have a popular extension. My extension is relatively expensive and thus unpopular. I don't have enough users to be interesting to shady businesses. My extension is more valuable to me than to anyone else, because I, one person, can make a living from it.

> As someone else has pointed out to you, not hypothetical.

That link seems a bit silly. There's a screenshot with no explanatory context whatsoever. There's a list of items, many of which look quite mundane and uninteresting. Certainly it is not suggesting acquiring the company for millions of dollars. It sounds like someone—could even be an intern for all we know—is interested in attacking the app from the outside.

I agree with tptacek: "This is clownish" https://news.ycombinator.com/item?id=13813828

> You give yourself too little credit.

No, I give myself too much credit. ;-)

> I know of several developers and other people with influence who use your extensions with complete trust. Compromising you means compromising them, which means compromising even more people.

What is the value of compromising these people? Oh noes, the CIA can now write Daring Fireball articles!

> Jia Tan has aptly demonstrated you don’t need to directly attack your final target, only a link in the chain, even if it looks insignificant.

What chain? I have no third-party dependencies. If someone can compromise Apple's operating systems, then my software or Little Snitch is the least of our worries.

I do specifically and intentionally avoid using NPM, because of frequent compromises. Little Snitch is not even JavaScript, so no worries there.