I've wondered about whether something like this could happen to the "Bypass Paywalls" Chrome extension [1]. However what makes me feel more comfortable (and please correct me if I'm wrong) is that in order to use the extension, you need to save a copy of it locally and then drag that over to Chrome to install it. If I delete the local version of the extension then it no longer works. Assuming that there were no malware at the time of downloading the extension from GitHub, does this mean that no one can "push" malware code to my local version of the extension or "push" anything to GitHub that could interact with my local version in a malicious way?
That understanding is correct. In fact, that type of technique is one of those recommended to use Great Suspender safely.
I should note that the manifest can specify an 'update url' that would enable auto-updating behavior: and it does, in fact, appear that this extension does. If you remove that line from the manifest, that behavior will cease.
Thanks, I actually just noticed the GitHub page says "The Firefox version supports automatic updates" so I guess it's safe to say that the Chrome extension won't automatically update?
[1] https://github.com/iamadamdev/bypass-paywalls-chrome