This kind of thing has already happened. Chinese hackers got into the Juniper VPN source code and replaced a key pair with their own. They even updated the tests so that it would pass. This went unnoticed for years.

Arguably it wasn't secure in the first place if it had backdoor like that.

It doesn't have to a backdoor. A malicious employee can have access to the keys.

This is a good point, but on the other hand, couldn't any application be hijacked in the same way to include a keylogger/upload plaintext password DBs stored locally by browsers/etc? Somehow this hasn't happened on a mass scale that I'm aware of.

Not exactly, because the JavaScript code can change and be delivered at ANY time. No code signature verification is involved.

An offline password manager is updated a few times a year, and will go through OS repository distribution, with verification of the signature for changes. Or you can download the software from the source website and check the signature.

Extension has the passwords so just need to suck them through a straw. Getting a keylogger on someones machine probably requires getting them to run an executable or a zero-day exploit.

Worth noting that open-source projects where your password store is saved locally are vulnerable to the same attack.

Simple, but not easy.