The thing that bothers me most about this story is that the binary on the Chrome Web Store and the public source on the repo have no enforced relationship at all. The store accepts a packaged extension and trusts the developer to say it matches the public code. I tried to reproduce the published build for a few extensions I actually depend on, and in most cases I could not, even when the maintainer was clearly acting in good faith. Firefox AMO at least asks for source and runs a diff against a clean build before they let it through, Chrome does not. If reproducible builds plus a signed attestation tying a store version to a commit are not the right answer here, what would actually catch the silent pivot from benign to malicious before users start getting injected ads?