During a security assessment, which characteristic of a browser extension most strongly suggests persistence and malicious activity?

Persistence and stealth in browser extensions show up as background activity tied to broad permissions. When an extension keeps running background scripts even after the browser is closed, it demonstrates it can resume actions and maintain control across sessions, which is a hallmark of a malicious, long-lived presence. If the extension also requests a large set of permissions, it gains broad access to data and browser features, increasing the potential impact and making it harder to detect and shut down. The other scenarios are less convincing signs of persistent malicious activity. An extension that only requests essential permissions and terminates when the browser closes suggests a more limited, transient role rather than ongoing control. Being signed by a well-known vendor with automatic updates can be legitimate, though it’s not a definitive indicator of malice. Communicating only with localhost could be used for various purposes, but by itself it doesn’t strongly indicate persistence or malicious behavior.