For Chrome and Chromium-based browser users...

Researchers from the University of Wisconsin-Madison have created a proof-of-concept Chrome extension that is capable of stealing plaintext passwords from the HTML source codes of virtually any website.

https://www.techspot.com/news/100016-rogue-chrome-extensions-can-steal-passwords-websites-gmail.html