We all fall victim to the dangerous belief that if an app or extension is listed in an official repository - be it the App Store, Google Play, the Microsoft Store, Mozilla's Add-Ons directory or so on - it must be legitimate. After all, the big tech companies surely use a lot of automated systems (and real human beings) to ensure that their customers aren't downloading harmful things. Right?