This issue stands for apps as well. I once had someone try to buy [1] my popular Android app just to replace it with malware which would then be pushed to users through an innocuous update. What's so interesting to me is that there's no good way to prevent or even detect this.

[1] https://willrobbins.org/a-clever-malware-tactic-and-why-ther...