Wait. Can't someone just delete the malicious class file or code from the plugin? Because it seems that easy for me.
Separate names with a comma.