just recently there was a clickjacking attack that affected most popular password manager extensions. It tricked the managers into filling passwords to random pages, worked on almost all extensions and all pages.
This doesn't seem to be "passwords on random pages", only "Personal Data + Credit Card,", passwords are domain-specific unless the website is hacked itself.
> The attacker can only steal credentials for the vulnerable domain.
