by Daniel Dawson (Developer) on May 9, 2015 · permalink

Where exactly did you download Saved Password Editor? I just tried downloading from AMO (through the "Add to Firefox" button on the main listing page) and comparing to my build. The files are identical, so it's impossible for any malware to have been added there.

If you got the add-on through another site, please note that you should be wary of other sites, especially when the official distribution is here. If you downloaded from here, then it seems either your computer is already infected with something that is manipulating what you receive, or your anti-malware software gave you a false positive (quite possible depending on how it fingerprints malware).

I also would like to point out that you should not feel safe with other Firefox extensions just because their stated purpose doesn't involve handling your passwords. *All* extensions (i.e. add-ons that modify behavior) have full privileges to do anything Firefox itself can do (except for SDK add-ons that do not request such privilege). Having an add-on whose description says nothing about passwords be the one to steal them makes more sense, don't you think? However, the review performed by actual humans (the add-on reviewers) before add-ons are allowed to be publicly released is designed to prevent such a blatant violation.

There are still ways that malware can slip in, though. In the near future (planned for version 41; version 40 will have a preference allowing it to be disabled), Firefox is going to allow only extensions signed by Mozilla to be installed. See https://blog.mozilla.org/addons/2015/02/10/extension-signing-safer-experience/ and https://blog.mozilla.org/addons/2015/04/15/the-case-for-extension-signing/ and https://wiki.mozilla.org/Addons/Extension_Signing for more info. That should significantly reduce such infections, among other things.