Even for extensions you trust, if their domain expires, it can be minutes later that it is pushing an update.
Actually ... Chrome extensions should have a trust policy wrt domain age, meaning a newly refreshed domain (via expiration) shouldn't be able to push an update for X days.
edit, forgot to mention that this applies to all plugin systems, many which provide vectors of attack against programmers, many of whom can affect global infrastructure.
So VSCode, IntelliJ, etc can be used to inject code into the client as well.
Chrome extensions should be signed and should prevent updates of extensions if the new version was signed by a different from the one signed the current one until the user manually approves it.
Most users will click straight through the approval though, like when they granted it full permissions at install.
And is the signing actually effective anyway? There's very little mention of it online, and as far as I can see it isn't covered in the official guide for publishing extensions.
Is it even possible to have proper signing keys stored locally or air-gapped?
To be honest that problem exists for essentially any software that auto-updates.
You just have to hope that the built-in integrity checking (if any) works and is effective.
That's why I like software distribution methodologies that rely purely on signing to verify authenticity, rather than simply the location that it was downloaded from. I can technically use any old dodgy Apt mirror that I want, as long as I only accept packages signed by trusted keys.
As a side note, it's shocking how many software providers say that their downloads are 'integrity checked' just because they're served over HTTPS.
Actually ... Chrome extensions should have a trust policy wrt domain age, meaning a newly refreshed domain (via expiration) shouldn't be able to push an update for X days.
edit, forgot to mention that this applies to all plugin systems, many which provide vectors of attack against programmers, many of whom can affect global infrastructure.
So VSCode, IntelliJ, etc can be used to inject code into the client as well.