Any compromised uploader machine with stored passwords can be used to upload compromising code, which will propagate to all downloaders.
It doesn't really matter whether a compromised machine stores a password or not. If you upload anything using a compromised machine, the attacker has the opportunity to learn your password.
True. But storing the password means that the owner doesn't need to initiate an upload, nor does the attacker need to capture keypresses, listen on connections, identify uploads/logins/passwords in the captured date, or do anything at all non-trivial, platform-specific or persistent (propagation could ignore the owner's machine).
Also, Hackage doesn't use SSL/TLS, so compromising a machine isn't necessary for learning Hackage passwords.
As Duncan says, an overall security review would be good, the sooner, the better. But that shouldn't prevent incremental improvements whereever they are found. One just needs to keep in mind that they make attacks harder/less likely, not impossible. Encouraging all users to keep an eye on the obvious holes may also make it more likely that the less obvious holes are noticed and addressed. Claus