Let's be honest, the people that are reading the list on GitLab are highly unlikely to be end consumers purchasing at those stores. If anything, this list provides a potential target list for other hackers to try and compromise those stores even further. I believe this to be irresponsible and furthermore still a violation of responsible disclosure.
I agree that it is unlikely that consumers directly use the list themselves. But have you seen https://twitter.com/gwillem/status/786908740838682624 that was linked from the OP? "631 compromised stores have been fixed in the last 4 days". I think publishing the list helped accelerate the fixing process. And companies like Google might use the list to detect malware sites in search results.
The people you're afraid of ("if anything, this list provides a potential target list for other hackers to try and compromise those stores even further") already have access to the data gwillem used as a source.
What's your comprehensive alternative then? Attempt to contact the owners? And where that has proven fruitless? Tell no-one?
At least now I can bring this list to the awareness of tech-savvy friends who might now have an opportunity to talk to their friends and family and so on.
