I've developed a few browser extensions, and every week I receive numerous emails with "revenue offer". Some experienced developers know that offers like these will inject malware into the browsers of your users, but scammers who make these offers will not tell you about it. They offer "integrations" that don't look so suspicious. Imagine how many developers have accepted these offers. Then look at the number of extensions in your browser and think about how much risk there is that you have an extension with malware.
Or maybe only install extensions from trusted
sourcesdevelopers.I think the point is that even if an extension comes from a trusted source, the developer could fairly easily push out an update that turns the extension into malware. Check the GitHub link in another comment below where the developer posts the solicitation emails he gets on a regular basis offering to monetize his extension. He isn’t selling out, but maybe not every dev is as willing as he is to forgo a potentially lucrative offer.
And there are cases where this has already happened: https://www.bleepingcomputer.com/news/security/-particle-chrome-extension-sold-to-new-dev-who-immediately-turns-it-into-adware/ There are probably more recent cases too, but this was the first one I could find.
To be specific: from trusted developers. Installing them only from the official repository (is it still possible to reasonably install them any other way?) won’t help if a dev sells such an addon. On the other hand I cannot imagine someone like Raymond Hill (the uBlock Origin dev) doing it, considering his track record.
Yeah, that’s what I meant.