bleepingcomputer[.]com/news/security/major-password-managers-can-leak-logins-in-clickjacking-attacks/
Basically the way it works is a compromised site can use invisible elements so that when you click something it triggers your password mgr. to autofill the also hidden blanks, allowing the cyber criminal to record your login info. The researcher cited tested the following apps, but those not tested may also be vulnerable: 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, and LogMeOnce.
The vendors that implemented fixes are Dashlane (v6.2531.1 released on August 1), NordPass, ProtonPass, RoboForm, and Keeper (v17.2.0 released in July). However, users should make sure that they're running the latest available versions of the products.Until fixes become available, Tóth recommends that users disable the autofill function in their password managers and only use copy/paste.
[Update 8/20 3:20 PM EST] - LastPass and LogMeOnce reached out to BleepingComputer following the publication of this article to explain that they too are working on resolving the issues raised in Tóth's report.