[throwaway821909]

This is a good point, but on the other hand, couldn't any application be hijacked in the same way to include a keylogger/upload plaintext password DBs stored locally by browsers/etc? Somehow this hasn't happened on a mass scale that I'm aware of.

[aborsy]

Not exactly, because the JavaScript code can change and be delivered at ANY time. No code signature verification is involved.

An offline password manager is updated a few times a year, and will go through OS repository distribution, with verification of the signature for changes. Or you can download the software from the source website and check the signature.

[quickthrower2]

Extension has the passwords so just need to suck them through a straw. Getting a keylogger on someones machine probably requires getting them to run an executable or a zero-day exploit.