I don't think, that removing this package from Debian is the right way. Users who have it installed get no notice and would keep this (apparent) malware. There should be a new package version, that does not contain the plugin anymore (like transitional packages), for both stable-sec and unstable (maybe oldstable too)?
