I have downloaded a plugin for adding Google Analytics code to my site. I later discovered it was a scam, with someone else's source code and a tiny javascript source code appended to the end which attempts to download a darkleech trojan from myftp.org
I followed up with a review to warn others, and then tracked the author's other 'work'. As it turns out he has done the same with an SMTP Mail plugin, a Google Maps plugin, and a redirects plugin.
How and where do we report these offenders hiding in plain sight?