I struck a deal with my extension's hacker and turned out better than expected

HN might be interested in the nature of the hack. It was a MITM attack by listening to background message handlers and impersonating the server.

The extension is not high value enough to build in high security certificate pinning (like some of the twitter replies recommended). I wonder if there is an easier way to avoid this.