Chrome Extensions can Steal Plaintext Passwords From Website Source Code
Given the lack of any security boundary between the extension and a site’s elements, the former has unrestricted access to data visible in the source code and may extract any of its contents.