Extensions really can't do anything without specifying permissions explicitly in their manifest. Those permissions are then shown to the user when extensions are installed. I don't see the problem here.
And inserting links in a search results page is hardly the type of malware the title of this article implies.
Hackers place a high value on veracity of information. Altering a search result page without complete transparency ahead of time is not cool. Altering a search result page in a way that filters money away to someone else is exactly what some malware does.
And inserting links in a search results page is hardly the type of malware the title of this article implies.