Per Soderlind recently alerted me to a rather important security issue regarding plugins hosted outside of WordPress.org. All WordPress.org hosted plugins receive plugin updates from WordPress.org. Commercial plugins often add scripts to provide plugin updates from other sources*, but the vast majority of plugins simply go without automatic updates at all.
Now, imagine a scenario in which you create a custom plugin, but someone with malicious intent registers a plugin with the exact same name and slug as yours with the WordPress.org repository. It is conceivable that you or someone else working on the site could accidentally hit the “update” button and be immediately infected by a malicious plugin launched to attack your site from WordPress.org itself. Joost de Valk made use of this very mechanism for good back in 2010, when he forced an auto-upgrade on the BlogPress SEO plugin, but an evil person could potentially do the same thing in a more malicious way.
Thankfully there is a very easy to use work around for this problem as you can simply deactivate the auto-updates via some code kindly provided by Mark Jaquith, variants of which are posted below.
* Methods to add plugin update support from other sources include: