The JSON Formatter Chrome Extension Went Adware. Here's What to Use Instead.

← Back to المدوّنة

If you use the JSON Formatter Chrome extension, uninstall it now and keep reading. In early April 2026, users started noticing the extension had started injecting ads, hijacking checkout pages with donation prompts, and adding tracking scripts to their browsers. The extension — which has millions of weekly users — had been sold or co-opted, and a trusted dev tool became adware overnight.

Why this matters: JSON formatters sit between you and production data. Auth رمزs, العميل PII, مفتاح APIs, database rows — whatever you paste. An extension with an adware backdoor is a data-exfiltration backdoor. The blast radius is larger than "annoying popups."

What Actually Happened

A user on Hacker News (jkl5xx) flagged it first: a suspicious element called give-freely-root-bcjindcccaagfpapjjmafapmmgkkhgoa appeared in the Chrome inspector. Hours later, another user got a Malwarebytes quarantine alert specifically for JSON Formatter. The full HN thread has 136 comments of developers confirming the pattern and debating what happened.

The mechanism is textbook:

Popular مجاني extension gets millions of installs over years.
أوiginal author gets "approached twice to add a search and tracking script" (HN user nip describes the direct pitch).
At some point, someone says yes — or the extension is sold to someone who will.
A routine auto-تحديث pushes the monetization code. Your browser trusts the تحديث. Adware is now running with your extension's permissions.

This isn't new. The Hacker News covered a breach on JSON Formatter's website back in November 2025. The pattern repeats because browser extensions are the softest attack surface in the entire developer toolchain.

The Actually-Safe Alternatives

If you format JSON more than twice a week, you need a tool that lives outside the browser-extension threat model. Here are three categories of replacement, ranked by how much of the risk each one removes.

1. A Client-Side Web App Best · $0 – $9

A web app that runs entirely in your browser — no backend, no data sent to a server. مفتوحing it feels identical to using an extension, but the attack surface is exactly the one tab you're looking at. No auto-تحديثr. No OAuth scope. No permissions on other tabs.

Septim Forge is one option (built by us, disمغلق): 22 developer utilities — JSON formatter, JWT decoder, diff checker, SQL formatter, CSV↔JSON, regex tester, UUID, hashes — all running client-side with zero server calls. 16 tools are مجاني, 6 Pro tools are $9 once, مدى الحياة. Your data never leaves the page.

Wes Bos also shipped JSON Alexander as a response to the same incident. Different philosophy (extension, but a new clean one), similar privacy stance.

Key question to ask of any client-side web tool: مفتوح DevTools → Network tab → paste JSON → does anything outbound fire? If yes, it's not actually client-side.

2. A Self-Hosted Tool Most-paranoid · $0

If you're really allergic to trusting anyone, run a local formatter. jq has been the CLI standard for years. For GUI, json-viewer as a local npm package or json-lite as a desktop app both work. Trade-off: الإعداد friction, and you now own the security-patching responsibility.

This is the right call if your org prohibits sending code/data to any external endpoint, period.

3. A New Extension (Cautiously) If you insist · varies

If you really want the keyboard-shortcut convenience of an extension, switch to one that has (a) مفتوح source on GitHub you can audit, (b) fewer than 5 permissions requested, (c) active maintenance by a named developer with a verifiable presence.

Downside: this exact pattern happens every couple of years. The new safe extension may be the next adware victim in 2028.

How to Spot the Next One Early

The JSON Formatter incident isn't a one-off. Extension monetization is a well-trodden path now. Here are the early-warning signs a trusted dev extension has been compromised:

A routine تحديث adds new permissions. If Chrome asks you to approve "read data on all websites" during an auto-تحديث of a tool that previously didn't need that, uninstall immediately. The extension is being repurposed.
Unexpected network requests appear in DevTools. A client-side JSON formatter should make zero network calls after the initial page load. If you see XHR traffic during formatting, something's exfiltrating.
The extension asks for donations on pages unrelated to itself. Legitimate donation prompts live in the extension's own UI. Prompts injected into your bank's checkout page are adware — no exceptions.
New UI elements appear where they weren't before. Check document.querySelectorAll('[id*="give-freely"], [id*="donate"], [id*="tracking"]') on any page your extension touches. If the extension injected DOM nodes there, investigate.
Malwarebytes, uBlock, or PiHole suddenly flags something. These tools have low false-positive rates for installed extensions. Take the warning seriously even if you trust the extension.

The Bigger Pattern

Every "مجاني" dev tool that survives long enough faces the monetization question. The honest ones charge. The dishonest ones sell tracking.

There's a reason so many developers are migrating back to paid tools — not because they're better, but because the business model is legible. $9 once for a tool with بلا اشتراك and no ads is easier to reason about than "مجاني" with an adtech backdoor waiting to activate.

The price of "مجاني" in the dev tool market is almost always "you get monetized eventually." The dishonest version is adware. The honest version is a SaaS اشتراك. The rare version is بدفعة واحدة payment with no strings.

قائمة تحقّق: Uninstall, Replace, Move On

Go to chrome://extensions. Remove "JSON Formatter" if still installed.
Clear your browser cache and cookies for any site the extension may have injected into.
Rotate any auth رمزs, مفتاح APIs, or credentials that may have been pasted into JSON being formatted by the extension in the last 30 يومًا. This is paranoid but cheap.
Pick a replacement from section 2 above and bookmark it.
Set a calendar reminder for 6 months from now to check that your replacement hasn't drifted. Audit it with DevTools at that time.

Septim Forge — 22 dev tools, all client-side

مجاني إلى الأبد. $9 once unlocks Pro: Diff Checker, SQL Formatter, CSV↔JSON, JSON→TypeScript, Code Minifier, and advanced tools. No server calls. No data collection. No extension — it's a web app, so the adware attack path physically cannot apply.

Try Septim Forge مجاني →

If you're browser-tool refugee: Septim Vault is a client-side encrypted vault for dev secrets (مفتاح APIs, رمزs, .env values) built on the same no-server principle. الليلة only: Vault + Drills (25 Claude Code skills) bundled for $39. septimlabs.com/tonight · expires midnight ET.

Until the browser extension permission model fundamentally changes, this will keep happening. The JSON Formatter incident is a reminder that every dev tool you trust is one auto-تحديث away from an adversarial role. Pick tools where the trust model is legible — client-side, مفتوح source, or paid by someone who doesn't need to sell your data.

— The Septim Labs team