[antonok]

Great suggestions. The "third party buys popular extension and quietly adds malware" approach is also a huge attack vector. There really ought to be some way to prevent an extension from updating until you've had a chance to review and approve that change, especially if it requests a lot of sensitive permissions.

[staticassertion]

Well, even today, if the attacker modifies the permissions it will require a re-acknowledgement. Google can also do things there, like if the extension is tied to a key (as it should be), tell developers that they are required to not provide that key to anyone else, even if they sell / transfer ownership of the extension. Instead, the new owner should register a new key, which can trigger review/ scrutiny.

Key + 2FA means the attacker has to have code execution on a developer's machine in order to publish an update (via the local session token, which you should make short lived). And Google could require a FIDO2 token if you want to bypass the "alert users that this thing uses lots of permissions".

There's a lot of stuff I'd be working on to avoid having to remove developer power.

edit: K I've been rate limited by HN so I can no longer reply for today, but them's my thoughts.

[blibble]

if someone offers a typical small extension author $500,000 for their extension, I think they're going to ignore Google's rules and handover the keys