I think I misread the initial comment. Yes, if the build server is compromised code could be injected into the next build/release cycle to pilfer your master password. Not only that, but also anything else in the vault since it is decrypted locally and visible to the extension.
Still, local decryption is more secure than sending the master password to the server (so, just compromising the server holding your vault wouldn't be enough to steal your password). I think I will switch to BitWarden which uses the same approach, LastPass seems to be getting hacked alot nowdays.
Are you certain bitwarden has not? I read a thread here some time ago where 1password was bragging that they have never been breached, and someone basically commented back "they have never been breached that they are aware of".
I am concerned at some level on the lastpass breaches, but I am less affected so far than I have been by the equifax, target, and t-mobile breaches. I have had years of free credit monitoring since each one of those handed out enough data to compromise my identity several times over.
Still, local decryption is more secure than sending the master password to the server (so, just compromising the server holding your vault wouldn't be enough to steal your password). I think I will switch to BitWarden which uses the same approach, LastPass seems to be getting hacked alot nowdays.