Actually, as soon as we were notified of the issue, the plugin was closed and hidden on a temporary basis until we had time to evaluate the problem. Once we had done so, I personally created a new version of the plugin, without the malicious code, and pushed it to the repository in order to get the update out to the affected users. The existing committers were all removed, leaving the plugin entirely in the hands of the plugin team. The latest version is now safe and will not be otherwise until we determine the full details of what happened here.
Full disclosure is great, but some advance notice longer than a day or so helps a lot. We will always protect our users to the best of our ability, but sometimes, we get blind sided. It happens. Nobody posts about the dozens of other times we fix things before they get exploited. Not judging, just saying.