Web Pages Can Overwrite Your Clipboard
Chrome is currently the worst offender, because the user gesture requirement for writing to the clipboard was accidentally broken in version 104. A public demonstration of the brokenness has been posted on Web Platform News. If you simply visit the demonstration page in Google Chrome or a Chromium browser, then your system clipboard will be overwritten with the text below.
[…]
If the user gestures were limited to the keyboard shortcut for copy (⌘C on the Mac) or selecting the “Copy” command in a menu (main or contextual), that might be fine. But the gestures are not strictly limited in this way. In my testing, the following DOM events give a web page permission to use the clipboard API to overwrite your system clipboard[…] Therefore, a gesture as innocent as clicking on a link or pressing the arrow key to scroll down the page gives the web site permission to overwrite your system clipboard!
I'm not surprised. Certain web sites (like Microsoft SharePoint) make this an explicit feature in their UI.
When you click the "Copy link" button next to a shared file, the back-end server automatically generates a special file-sharing URL and copies it to the clipboard, all ready for you to paste into an e-mail message (or chat window or whatever).
The fact that this feature can be abused is not surprising. Good luck coming up with an API that can figure out the intent of the web site designer.