A big problem in the whole third party extension world (for browsers and apps like these) is that the creators of these extensions are often swayed to sell their creation. Dropping an infostealer to 1000 people could easily get you 10s of thousands of dollars if you use the stolen info for stuff like bank fraud. So invest a few thousand of that to buy the extension and you get a profit. You can even get access to the accounts of extension creators by getting them infected by other extensions. This can even be automated in the form of a worm such as the NPM malware named Shai-Hulud.

It’s an extremely dirty battle that requires every developer to be vigilant about who they trust and to defend their creation at all costs. Easy money always has a bad side, and I hope every developer understands that their users have put a trust into them that the developer has most likely also put into other developers.

Why is it the extensions you most suspect? /s