Is NordPass® (legacy) safe to use?

NordPass® (legacy) has a risk level of HIGH with an overall risk score of 7.3/10. Our scan detected 181 security findings. This extension has significant security concerns — review the full report before installing.

What permissions does NordPass® (legacy) request?

NordPass® (legacy) requests the following permissions: idle, alarms, storage, tabs, privacy, contextMenus, offscreen, clipboardRead, clipboardWrite. It also requests host access to: https://api-toggle.nordpass.com/*, https://api-toggle.stag.us.nordpass.com/*, https://lastpass.com/*, http://*/*, https://*/*, https://nordpass.com/app/*, https://nordpass.com/*/app/*, https://rockycliff.net/app/*, https://rockycliff.net/*/app/*, https://panel.nordpass.com/*, https://ecp.stag.global.nordpass.com/*, https://ecp-core.dev.global.nordpass.com/*.

What is NordPass® (legacy)'s risk score?

NordPass® (legacy) has an overall risk score of 7.3/10 (HIGH). Breakdown: Permissions 7.5/10, Code 10.0/10, Combinations 10.0/10, CSP 2.2/10.

ExtSafe

NordPass® (legacy)Security Analysis

Chromev7.4.7MV3February 18, 2026 at 11:56 AM

Potentially unsafe

This extension shows concerning patterns that may indicate risky behavior. Proceed with caution.

7.3HIGH

7.3 HIGHRaw: 8.1

This extension shows significant risk signals. Review the findings below carefully before installing or continuing to use it.

Based on 21 permissions including high-risk ones, 165 code findings, 2 dangerous combinations.

Trust Signals(3.5/10)

Users

200K

Rating

3.5(3K reviews)

Dangerous Combinations(2)

CRITICALClipboard read + external communication

Extension reads clipboard and communicates externally — potential credential or crypto address theft.

clipboardRead+external network request

CRITICALAll-sites access + keyboard capture

Extension has access to all sites and captures keyboard input — behavior consistent with a keylogger.

<all_urls>+keylogger_pattern

Permissions

7.5/10

Code

10.0/10

Combinations

10.0/10

Manifest/CSP

2.2/10

Permissions(21 analyzed)

Code Findings(16 patterns, 165 total)

Content Security Policy

CSP Present(1 issue)

LOW

object-srcobject-src not restricted

object-src is not set to 'none'. Plugins like Flash can be embedded, which may allow code execution.

Manifest Analysis(1 finding)

Resolved from __MSG_* i18n placeholders:

Description: NordPass is your freedom from password stress. Generate and securely store strong passwords and autofill them with a single click.

MEDIUM

web_accessible_resourcesJS files exposed to web pages

JavaScript files are exposed as web-accessible resources. Matched websites can load and interact with extension scripts.

External Domains(83)

${e*.nordbusinessaccount.com*.nordpass.com*.npass.app127.0.0.1accounts.lastpass.comaddons.mozilla.organalyze.stag.global.nordpass.comapi-contentstorage.stag.us.nordlocker.comapi-contentstorage.us.nordlocker.comapi-toggle.nordpass.comapi-toggle.stag.us.nordpass.comapi.cloudstorage.global.nordlocker.comapi.eu.nordpass.comapi.nordpass.comapi.stag.eu.nordpass.comapi.stag.us.nordpass.comapp.dashlane.comapp.nordpass.comapps.apple.comassets-static-np.s3.amazonaws.comavatars.nordpass.comavatars.stag.global.nordpass.comb2b-checkout-web-staging.mountainkube.combit.lybusiness.nordsec.comchromewebstore.google.comdebug.nordpass.comdocs.google.comecp-core.dev.global.nordpass.comfb.meformatjs.github.iogithub.comgraph.microsoft.comjson-schema.orglastpass.comlocalhostlogin.microsoftonline.commicrosoftedge.microsoft.commy.nordaccount.comnl-cs-production-cloud-storage-eu.s3.eu-central-1.amazonaws.comnl-cs-production-cloud-storage-unit1.s3.amazonaws.comnl-cs-production-cloud-storage-unit1.s3.us-east-1.amazonaws.comnl-cs-production-cloud-storage-unit2.s3.amazonaws.comnl-cs-production-cloud-storage-unit2.s3.us-east-1.amazonaws.comnl-cs-production-cloud-storage-unit3.s3.amazonaws.comnl-cs-production-cloud-storage-unit3.s3.us-east-1.amazonaws.comnl-cs-production-cloud-storage-unit4.s3.amazonaws.comnl-cs-production-cloud-storage-unit4.s3.us-east-1.amazonaws.comnl-cs-production-cloud-storage.s3.amazonaws.comnl-cs-production-cloud-storage.s3.us-east-1.amazonaws.comnl-cs-staging-cloud-storage-eu.s3.eu-central-1.amazonaws.comnl-cs-staging-cloud-storage-unit1.s3.amazonaws.comnl-cs-staging-cloud-storage-unit1.s3.us-east-1.amazonaws.comnl-cs-staging-cloud-storage-unit2.s3.amazonaws.comnl-cs-staging-cloud-storage-unit2.s3.us-east-1.amazonaws.comnl-cs-staging-cloud-storage-unit3.s3.amazonaws.comnl-cs-staging-cloud-storage-unit3.s3.us-east-1.amazonaws.comnl-cs-staging-cloud-storage-unit4.s3.amazonaws.comnl-cs-staging-cloud-storage-unit4.s3.us-east-1.amazonaws.comnl-cs-staging-cloud-storage.s3.amazonaws.comnl-cs-staging-cloud-storage.s3.us-east-1.amazonaws.comnordaccount-my-test.downhills.devnordcheckout.comnordpass.companel.nordpass.comreact.devreactjs.orgreactrouter.comredux-toolkit.js.orgredux.js.orgrockycliff.nets1.npass.appsnstaging.api.cloudstorage.global.nordlocker.comsupport.nordpass.comtinyurl.comwww.appsflyer.comwww.braze.comwww.g2.comwww.nordlocker.comwww.nordvpn.comwww.surveymonkey.com