For wordpress plugin and chrome/firefox extension, the most common channel of attack is -- the developer just sold the plugin for money.

They sold the developer key, the domain name, the organization or whatever needed to publish that plugin as updates.