| Risk | Mitigation | |------|-------------| | Malware in published extension | Reproducible builds + automated scanning (ClamAV, yara rules) | | Update poisoning | Code signing + certificate pinning | | Typosquatting | Name squatting checks + verified publisher badges | | Abandoned extensions takeover | Web of trust + expiration of signing keys |