Comment by esseph

I never said someone should not use a password manager.

I'm pointing out that password manager autofill can be used in an attack without the person's knowledge.

The site itself does not have to be compromised btw, this could come through the device itself being compromised or a poisoned popup on a website without referrer checks. There are probably quite a few ways I haven't considered to be able to get this to work.