Comment by AdmiralAsshat

That's a pity. It is incumbent upon the package manager vendors/curators to watch for this kind of stuff and bring the hammer down when it happens. Apple does it. Google does it. Mozilla does it.

I can guarantee that there are other commercial companies watching how this plays out. If the changes are simply rolled back without any real repercussions, what other malevolent entities will take away from this incident is, "You can inject adware into your acquired FOSS applications, but do so discretely."