The JSON Formatter Chrome Extension Went Adware. Here's What to Use Instead.

← Back to Blog

If you use the JSON Formatter Chrome extension, uninstall it now and keep reading. In early April 2026, users started noticing the extension had started injecting ads, hijacking checkout pages with donation prompts, and adding tracking scripts to their browsers. The extension — which has millions of weekly users — had been sold or co-opted, and a trusted dev tool became adware overnight.

Why this matters: JSON formatters sit between you and production data. Auth tokens, customer PII, API keys, database rows — whatever you paste. An extension with an adware backdoor is a data-exfiltration backdoor. The blast radius is larger than "annoying popups."

What Actually Happened

A user on Hacker News (jkl5xx) flagged it first: a suspicious element called give-freely-root-bcjindcccaagfpapjjmafapmmgkkhgoa appeared in the Chrome inspector. Hours later, another user got a Malwarebytes quarantine alert specifically for JSON Formatter. The full HN thread has 136 comments of developers confirming the pattern and debating what happened.

The mechanism is textbook:

Popular free extension gets millions of installs over years.
Original author gets "approached twice to add a search and tracking script" (HN user nip describes the direct pitch).
At some point, someone says yes — or the extension is sold to someone who will.
A routine auto-update pushes the monetization code. Your browser trusts the update. Adware is now running with your extension's permissions.

This isn't new. The Hacker News covered a breach on JSON Formatter's website back in November 2025. The pattern repeats because browser extensions are the softest attack surface in the entire developer toolchain.

The Actually-Safe Alternatives

If you format JSON more than twice a week, you need a tool that lives outside the browser-extension threat model. Here are three categories of replacement, ranked by how much of the risk each one removes.

1. A Client-Side Web App Best · $0 – $9

A web app that runs entirely in your browser — no backend, no data sent to a server. Opening it feels identical to using an extension, but the attack surface is exactly the one tab you're looking at. No auto-updater. No OAuth scope. No permissions on other tabs.

Septim Forge is one option (built by us, disclosed): 22 developer utilities — JSON formatter, JWT decoder, diff checker, SQL formatter, CSV↔JSON, regex tester, UUID, hashes — all running client-side with zero server calls. 16 tools are free, 6 Pro tools are $9 once, lifetime. Your data never leaves the page.

Wes Bos also shipped JSON Alexander as a response to the same incident. Different philosophy (extension, but a new clean one), similar privacy stance.

Key question to ask of any client-side web tool: open DevTools → Network tab → paste JSON → does anything outbound fire? If yes, it's not actually client-side.

2. A Self-Hosted Tool Most-paranoid · $0

If you're really allergic to trusting anyone, run a local formatter. jq has been the CLI standard for years. For GUI, json-viewer as a local npm package or json-lite as a desktop app both work. Trade-off: setup friction, and you now own the security-patching responsibility.

This is the right call if your org prohibits sending code/data to any external endpoint, period.

3. A New Extension (Cautiously) If you insist · varies

If you really want the keyboard-shortcut convenience of an extension, switch to one that has (a) open source on GitHub you can audit, (b) fewer than 5 permissions requested, (c) active maintenance by a named developer with a verifiable presence.

Downside: this exact pattern happens every couple of years. The new safe extension may be the next adware victim in 2028.

How to Spot the Next One Early

The JSON Formatter incident isn't a one-off. Extension monetization is a well-trodden path now. Here are the early-warning signs a trusted dev extension has been compromised:

A routine update adds new permissions. If Chrome asks you to approve "read data on all websites" during an auto-update of a tool that previously didn't need that, uninstall immediately. The extension is being repurposed.
Unexpected network requests appear in DevTools. A client-side JSON formatter should make zero network calls after the initial page load. If you see XHR traffic during formatting, something's exfiltrating.
The extension asks for donations on pages unrelated to itself. Legitimate donation prompts live in the extension's own UI. Prompts injected into your bank's checkout page are adware — no exceptions.
New UI elements appear where they weren't before. Check document.querySelectorAll('[id*="give-freely"], [id*="donate"], [id*="tracking"]') on any page your extension touches. If the extension injected DOM nodes there, investigate.
Malwarebytes, uBlock, or PiHole suddenly flags something. These tools have low false-positive rates for installed extensions. Take the warning seriously even if you trust the extension.

The Bigger Pattern

Every "free" dev tool that survives long enough faces the monetization question. The honest ones charge. The dishonest ones sell tracking.

There's a reason so many developers are migrating back to paid tools — not because they're better, but because the business model is legible. $9 once for a tool with no subscription and no ads is easier to reason about than "free" with an adtech backdoor waiting to activate.

The price of "free" in the dev tool market is almost always "you get monetized eventually." The dishonest version is adware. The honest version is a SaaS subscription. The rare version is one-time payment with no strings.

Checklist: Uninstall, Replace, Move On

Go to chrome://extensions. Remove "JSON Formatter" if still installed.
Clear your browser cache and cookies for any site the extension may have injected into.
Rotate any auth tokens, API keys, or credentials that may have been pasted into JSON being formatted by the extension in the last 30 days. This is paranoid but cheap.
Pick a replacement from section 2 above and bookmark it.
Set a calendar reminder for 6 months from now to check that your replacement hasn't drifted. Audit it with DevTools at that time.

Septim Forge — 22 dev tools, all client-side

Free forever. $9 once unlocks Pro: Diff Checker, SQL Formatter, CSV↔JSON, JSON→TypeScript, Code Minifier, and advanced tools. No server calls. No data collection. No extension — it's a web app, so the adware attack path physically cannot apply.

Try Septim Forge Free →

If you're browser-tool refugee: Septim Vault is a client-side encrypted vault for dev secrets (API keys, tokens, .env values) built on the same no-server principle. Tonight only: Vault + Drills (25 Claude Code skills) bundled for $39. septimlabs.vercel.app/tonight · expires midnight ET.

Until the browser extension permission model fundamentally changes, this will keep happening. The JSON Formatter incident is a reminder that every dev tool you trust is one auto-update away from an adversarial role. Pick tools where the trust model is legible — client-side, open source, or paid by someone who doesn't need to sell your data.

— The Septim Labs team