[kevindong]

Could you not argue the same thing for almost any code used by almost any piece of software closer to the metal?

e.g. someone manages to slip malicious code into Chrome/Chromium which eventually makes its way out to every Electron app/most browsers, or something gets injected into Windows/macOS/Linux, etc.

[coldtea]

>Could you not argue the same thing for almost any code used by almost any piece of software closer to the metal?

You could. But if you haven't trusted all/most of your passwords to any single app, you wont have a problem with them being exposed when that particular piece of software is compromised.

Even if someone compromises your OS itself, you'll only lose the passwords you typed in while you were using it compromised. And that's if it does captures thoses, and if it sends them to some remote endpoint, and if it's not caught soon, and so on.

With a password manager compromised, on the other hand, you could loose anything you've put it in, all at once.

[dataflow]

The likelihood of malicious code making its way into a browser extension in production is way, WAY higher than it is for something like Chrome or Windows.

[dogman144]

On one hand, yes software supply chain vulns are getting difficult to maintain conceptually total coverage of while also maintaining a pleasant environment for developers to productive in.

On the other hand, yes there eventually is a trust point somewhere. A spiral of upstream what-ifs isn't productive IMO, I agree.