Your trusted extension/add-on with over 100k review might be spying on you.

Compromised dYdX npm and PyPI packages delivered wallet-stealing malware and a RAT via poisoned updates in a software supply chain attack.

Microsoft is aware of exploitation in the wild for six vulnerabilities, and notes public disclosure for three of those.