Yes, you did well.
Malicious people try to hide their malware in places where the website owners do not usually check, for instance this person tried to hide that malicious file in the folder where the Sucuri plugin resides, it could have been any other plugin so is not really a problem that I (as the maintainer of this plugin) can resolve; just keep looking the rest of your project for copies of the same malware, check the audit logs, change the passwords of all your user accounts, change the credentials of your database, and check the permissions of the folders and files inside the plugins directory.
And by the way, the Sucuri WordPress plugin is not infected as you said, saying that the plugin is infected implies that I as the maintainer of the code injected that malicious file in your site and that is not true, the history of changes of the code is public here [1], anyone can check them and verify that the plugin is clean of malware, there is no way I could inject malicious code in this plugin without people noticing.
As you can see in the official repository [2] the only PHP files that are distributed with this plugin are named "sucuri.php" and "uninstall.php", so it is safe to delete any other file that is not listed in the official repository.
If it were possible to change the title of this ticket I would put something like "My website got hacked" instead of "Infected plugin", words are powerful weapon and it hurts our image when people assume things without a previous investigation.
Anyway, if you need help with anything else let me know.
[1] http://plugins.trac.wordpress.org/log/sucuri-scanner/
[2] http://plugins.svn.wordpress.org/sucuri-scanner/trunk/