Tor browser should be set so add-ons will not automatically update in the background
If a company that develops a add-on gets compromised, they could released a Malicious update for there extension and all users running tor browser would get the new malicious update that could compermise there Anonymity, the users would not even know that the Malicious add-on would be installed "ex. HTTPS Everywhere"
Trac:
Username: Dbryrtfbcbhgf