To inject malicious code they would need access to my Chrome Store account which is protected by a quite long and random password that is only stored in my brain. Also you can install in developer mode to avoid automatic updates.