READ FIRST: It has been patched, and the latest official update from the 1Password team
Starting sometime in early December of 2025, a change was rolled out to the 1Password browser extension that began injecting prism.js onto every site and targeting every <code> block it encountered.
The original discovery was made by @saltyaom and shared on Twitter to their disbelief.
The moment it hit my radar was when @yyx990803 retweeted it, amplifying it to a much larger audience.
1Password has several forum posts on this topic showing that this bug was introduced to all production users.
- Re: 1Password Chrome extension is incorrectly manipulating
blocks - Safari & Firefox extensions still break <pre>/<code> blocks after page load
- 1Password Chrome extension is incorrectly manipulating
blocks
The biggest question I had was: why are they even injecting Prism.js in the first place?
It turns out this is for a new Labs Snippets feature that allows you to paste snippets from the browser extension. One of the most interesting parts is that it has nothing to do with programming in general and is instead meant for rich text formatting.
Prism.js was targeting every <code> block on any site, ultimately stripping the correct syntax highlighting theme.
The snippets feature itself is actually pretty neat. In this example, it replaces what I type — "sig" — with console.log(67). It’s not clear to me why this requires highlighting <code> blocks on websites, though, since this feature behaves more like TextExpander or macOS text replacements.
It sucks to have a bug roll out during the holidays when people are on vacation, so I understand the delay in the fix. I’m very excited to read their postmortem to learn how this made it into production and what they plan to do to prevent this from happening again.
I hope you enjoyed this read, and if you’re interested in deep dives like this, please consider following me.
Top comments (0)