Thanks @steem-plus for the reply! I agree that the open source aspect is critical to security. While I haven't personally reviewed the code, I think it's unlikely that there's malicious code as it would hopefully quickly be discovered.
So I guess my question is really what prevents someone from compromising your deployment infrastructure and quickly uploading a maliciously modified version to the Chrome store? Would this potentially automatically "upgrade" browser users with the malicious extension?
For example, many websites have had mining software injected. Presumably, these websites did not intentionally add the mining javascript but were instead compromised. Do you think this is a risk for the SteemPlus extension that users should be conscious of?
To inject malicious code they would need access to my Chrome Store account which is protected by a quite long and random password that is only stored in my brain. Also you can install in developer mode to avoid automatic updates.