If you use the JSON Formatter Chrome extension, uninstall it now and keep reading. In early April 2026, users started noticing the extension had started injecting ads, hijacking checkout pages with donation prompts, and adding tracking scripts to their browsers. The extension — which has millions of weekly users — had been sold or co-opted, and a trusted dev tool became adware overnight.
What Actually Happened
A user on Hacker News (jkl5xx) flagged it first: a suspicious element called give-freely-root-bcjindcccaagfpapjjmafapmmgkkhgoa appeared in the Chrome inspector. Hours later, another user got a Malwarebytes quarantine alert specifically for JSON Formatter. The full HN thread has 136 comments of developers confirming the pattern and debating what happened.
The mechanism is textbook:
- Popular free extension gets millions of installs over years.
- Original author gets "approached twice to add a search and tracking script" (HN user
nipdescribes the direct pitch). - At some point, someone says yes — or the extension is sold to someone who will.
- A routine auto-update pushes the monetization code. Your browser trusts the update. Adware is now running with your extension's permissions.
This isn't new. The Hacker News covered a breach on JSON Formatter's website back in November 2025. The pattern repeats because browser extensions are the softest attack surface in the entire developer toolchain.
The Actually-Safe Alternatives
If you format JSON more than twice a week, you need a tool that lives outside the browser-extension threat model. Here are three categories of replacement, ranked by how much of the risk each one removes.
1. A Client-Side Web App Best · $0 – $9
A web app that runs entirely in your browser — no backend, no data sent to a server. Opening it feels identical to using an extension, but the attack surface is exactly the one tab you're looking at. No auto-updater. No OAuth scope. No permissions on other tabs.
Septim Forge is one option (built by us, disclosed): 22 developer utilities — JSON formatter, JWT decoder, diff checker, SQL formatter, CSV↔JSON, regex tester, UUID, hashes — all running client-side with zero server calls. 16 tools are free, 6 Pro tools are $9 once, lifetime. Your data never leaves the page.
Wes Bos also shipped JSON Alexander as a response to the same incident. Different philosophy (extension, but a new clean one), similar privacy stance.
Key question to ask of any client-side web tool: open DevTools → Network tab → paste JSON → does anything outbound fire? If yes, it's not actually client-side.
2. A Self-Hosted Tool Most-paranoid · $0
If you're really allergic to trusting anyone, run a local formatter. jq has been the CLI standard for years. For GUI, json-viewer as a local npm package or json-lite as a desktop app both work. Trade-off: setup friction, and you now own the security-patching responsibility.
This is the right call if your org prohibits sending code/data to any external endpoint, period.
3. A New Extension (Cautiously) If you insist · varies
If you really want the keyboard-shortcut convenience of an extension, switch to one that has (a) open source on GitHub you can audit, (b) fewer than 5 permissions requested, (c) active maintenance by a named developer with a verifiable presence.
Downside: this exact pattern happens every couple of years. The new safe extension may be the next adware victim in 2028.
How to Spot the Next One Early
The JSON Formatter incident isn't a one-off. Extension monetization is a well-trodden path now. Here are the early-warning signs a trusted dev extension has been compromised:
- A routine update adds new permissions. If Chrome asks you to approve "read data on all websites" during an auto-update of a tool that previously didn't need that, uninstall immediately. The extension is being repurposed.
- Unexpected network requests appear in DevTools. A client-side JSON formatter should make zero network calls after the initial page load. If you see XHR traffic during formatting, something's exfiltrating.
- The extension asks for donations on pages unrelated to itself. Legitimate donation prompts live in the extension's own UI. Prompts injected into your bank's checkout page are adware — no exceptions.
- New UI elements appear where they weren't before. Check
document.querySelectorAll('[id*="give-freely"], [id*="donate"], [id*="tracking"]')on any page your extension touches. If the extension injected DOM nodes there, investigate. - Malwarebytes, uBlock, or PiHole suddenly flags something. These tools have low false-positive rates for installed extensions. Take the warning seriously even if you trust the extension.
The browser extension permission model is the actual problem
The JSON Formatter adware is a symptom. The underlying condition is that browser extensions have access to everything — and Chrome's permission model makes it easy for that access to expand silently through an auto-update.
Extensions request permissions at install time. But a new version of an extension can request additional permissions with a subtle prompt that most users dismiss. After the install, the extension runs on every page you visit, reads your DOM, can intercept network requests, and can inject arbitrary JavaScript. A JSON formatter extension that asks for "access to all websites" has, in practice, the same surface area as browser-embedded malware. The only thing stopping misuse is the developer's integrity — right up until they sell the extension to someone with different priorities.
Compare that to a client-side web app. When you open a web app in a tab, it has access to exactly that tab. It cannot read other tabs. It cannot persist code across sessions through an auto-updater. If you close the tab, it's gone. The permissions model is dramatically narrower, and the attack path that JSON Formatter exploited physically cannot apply.
What "client-side" actually means — and how to verify it
The phrase "client-side" gets used loosely. Some tools claim to be client-side but send data server-side for processing (JSON linting via API call, for example). Here's how to verify that a tool you're evaluating is actually running locally.
Open DevTools (Cmd+Option+I on Mac, Ctrl+Shift+I on Windows). Go to the Network tab. Disable cache (checkbox at the top of the panel). Paste a piece of JSON into the tool and click format. Watch the Network tab for any new requests that fire after you clicked.
A genuinely client-side tool makes zero outbound requests during formatting. The only network traffic you should see is the initial page load: the HTML, CSS, and JavaScript files that run the tool locally. If you see XHR, Fetch, or WebSocket traffic fire when you paste JSON, something is leaving your machine.
This verification takes thirty seconds. Run it before trusting any tool with production data — API keys, auth tokens, customer records, or anything from a database.
The extension audit you should do right now
JSON Formatter is one incident. It won't be the last. Here is a quick audit of your current extension set.
Go to chrome://extensions. For each extension, click "Details" and look at "Permissions." Any extension with "Read and change all your data on all websites" has browser-level access to everything you do in Chrome — every form you submit, every page you load, every cookie that passes through. Ask whether you actually need that extension for something that justifies that access level.
The short list of extension categories that routinely ask for — and arguably need — broad site access: ad blockers, password managers, VPN extensions. Everything else is suspect at that permission level. A JSON formatter that needs access to all websites is requesting an order of magnitude more access than its stated job requires.
As a rule: if an extension's stated function (format JSON) doesn't logically require access to every website you visit, the permission is a liability, not a feature.
Three JSON tools worth keeping on hand
If you're doing this rotation today, here is the short list.
jq (CLI) — brew install jq or apt install jq. Runs entirely on your machine, processes any JSON file or piped input, has a powerful query language for filtering and transforming JSON. Zero network calls by definition. Use for scripting, pipelines, and anywhere you'd otherwise paste JSON into a web tool. Steep initial learning curve; pays off quickly.
A client-side web app — Septim Forge (our tool, disclosed) or a similar browser-hosted formatter you've audited via DevTools. Bookmarked, no install, works offline once the page loads. The formatting logic runs in your browser's JavaScript engine. Nothing leaves the tab.
Your editor's built-in formatter — VS Code, Cursor, and most modern editors format JSON natively. Cmd+Shift+P → "Format Document" with a .json file open. This is the zero-install option that was available the entire time and most developers don't think of. The editor has file-system access to your local files already, so there's no additional trust decision.
The bigger pattern
Every "free" dev tool that survives long enough faces the monetization question. The honest ones charge. The dishonest ones sell tracking.
There's a reason so many developers are returning to paid tools — not because they're necessarily better, but because the business model is legible. $9 once for a tool with no subscription and no ads is easier to reason about than "free" with an adtech backdoor waiting to activate on the next auto-update.
The price of "free" in the dev tool market is almost always "you get monetized eventually." The dishonest version is adware. The honest version is a SaaS subscription. The rare version is one-time payment with no strings.
Checklist: Uninstall, Replace, Move On
- Go to
chrome://extensions. Remove "JSON Formatter" if still installed. - Clear your browser cache and cookies for any site the extension may have injected into.
- Rotate any auth tokens, API keys, or credentials that may have been pasted into JSON being formatted by the extension in the last 30 days. This is paranoid but cheap.
- Pick a replacement from section 2 above and bookmark it.
- Set a calendar reminder for 6 months from now to check that your replacement hasn't drifted. Audit it with DevTools at that time.
Septim Forge — 22 dev tools, all client-side
Free forever. $9 once activates Pro: Diff Checker, SQL Formatter, CSV↔JSON, JSON→TypeScript, Code Minifier, and advanced tools. No server calls. No data collection. No extension — it's a web app, so the adware attack path physically cannot apply. Auditable via DevTools in thirty seconds.
Try Septim Forge Free →The same principle that makes a client-side JSON formatter trustworthy applies to anywhere you store sensitive dev data. Which brings up the question most developers defer until something goes wrong: where do your API keys actually live right now?
If the answer is a browser extension, a cloud-sync password manager, or a plaintext .env file committed to a private GitHub repo — each of those is a version of the same problem. You're trusting a third party with credentials that have production access. The JSON Formatter incident is a reminder that third-party trust is not permanent.
Septim Vault ($29) is an encrypted browser-side vault for dev secrets — API keys, tokens, .env values. AES-256-GCM encryption, performed entirely in-browser. Your vault data never leaves your device — no server-side storage of secrets. Pay once. The architecture is the same no-server principle as a genuine client-side formatter: the code runs in your browser, your secrets never leave your machine. No auto-updater with expanded permissions. No third-party infrastructure to be compromised. You have the key; no one else does.
The trust model is legible. That's the whole point.
Get Septim Vault — $29, pay once →Until the browser extension permission model fundamentally changes, incidents like JSON Formatter will keep recurring. Every dev tool you trust is one auto-update away from an adversarial role. Pick tools where the business model — and the data handling — is legible before you need it to be.
— The Septim Labs team