Personal auditing doesn't really solve the problem because extensions update automatically, and there are numerous cases of the authors of popular extensions being approached to sell out their userbase in exchange for cash, providing a motive for formerly-audited extensions to go bad. Here's some basic tips at defending yourself:
1. Minimize the amount of extensions you use to the bare essentials. If you can live without it, uninstall it. If you rarely use it, uninstall it.
2. Prefer extensions from well-known organizations rather than unknown individuals. Example: there are plenty of extensions that force HTTP requests to HTTPS when possible, but I exclusively use the one from the EFF. Organizations have less to gain and more to lose from breaching the trust of their users in this way.
3. Prefer extensions that multiple software developers have recommended personally. This won't itself protect you from malware, but it does increase the likelihood that emergent malware will be discovered promptly and loudly publicized.
4. If you absolutely need an extension and none of the above apply, download the source code of the extension yourself and manually load it into your browser, to keep it from being automatically updated. (Part of me is wary to recommend this, as software that never gets updated is historically prone to being exploited by lingering unpatched flaws, but I'm having a hard time coming up with an attack vector of this sort for browser extensions.)
1. Unexpected URL's or IP addresses. Most attack vectors, for example a key-logger, need to call home at some point. Keep in mind, the address may be stored in pieces that are later concatenated together, or other tricks like using charAt() that will break a naive search for "http://".
2. Blobs of base64 code or other obfuscated text that are later eval'd...
3. Or really anything in an eval function is super suspicious.
4. Remote scripts that injected into pages. Does this have plugin have a solid reason to do that? Otherwise, it's an obvious backdoor even if not necessarily nefarious.
5. Look for code that targets specific domains that are out of scope. If you're looking at an extension for a color picker, you wouldn't expect to see code targeting specific high-value sites like Paypal or Gmail.
6. If it's an email productivity add-on, is it stealing emails and contact information from signatures? It's surprisingly common.
7. Some extensions will try to swap out the advertiser IDs or change affiliate links. Unless it's an adblocker, you shouldn't expect to see any code targeting ads.
