> we have a strict subset of Chrome extensions allowed for install. All of which have been vetted by our security team.

How do you handle a situation like this, where an extension was previously trusted (and would therefore have passed your vetting procedure), then acquired by somebody else who is apparently malicious? Do you review every new version?