Selling malware/software weapons to US entities is generally legal for other US entities*, with the main caveat that if it ends up ITAR regulated then you can only sell it to the US government and other ITAR-cleared suppliers unless it's open source (in which case you'd be selling the platform).
NSO Group is bad because they have been caught selling to oppressive regimes and allegedly actively supported (and potentially continue to support) the deployment of their software for oppressive regimes to harm innocent civilians. They should be (and iirc are) sanctioned for their bad behaviors, bad intentions, and mishandling of their responsibilities.
* There are plenty of caveats (e.g. the seller & buyer need to have good intentions and only plan to use the malware in accordance with the law). I am not a lawyer and this is not legal advice.
NSO Group is bad because they have been caught selling to oppressive regimes and allegedly actively supported (and potentially continue to support) the deployment of their software for oppressive regimes to harm innocent civilians. They should be (and iirc are) sanctioned for their bad behaviors, bad intentions, and mishandling of their responsibilities.
* There are plenty of caveats (e.g. the seller & buyer need to have good intentions and only plan to use the malware in accordance with the law). I am not a lawyer and this is not legal advice.