This kind of thing has already happened. Chinese hackers got into the Juniper VPN source code and replaced a key pair with their own. They even updated the tests so that it would pass. This went unnoticed for years.
This is a good point, but on the other hand, couldn't any application be hijacked in the same way to include a keylogger/upload plaintext password DBs stored locally by browsers/etc? Somehow this hasn't happened on a mass scale that I'm aware of.
Not exactly, because the JavaScript code can change and be delivered at ANY time. No code signature verification is involved.
An offline password manager is updated a few times a year, and will go through OS repository distribution, with verification of the signature for changes. Or you can download the software from the source website and check the signature.
Extension has the passwords so just need to suck them through a straw. Getting a keylogger on someones machine probably requires getting them to run an executable or a zero-day exploit.
2. Inject code in build to export user's passwords to remote server after update is installed