Your Favorite JSON Formatter Extension Might Be Serving You Ads Now

If you’ve ever worked with APIs, you’ve probably installed a JSON formatter extension. One click, forget it exists, and enjoy pretty-printed responses forever. But that “forget it exists” part is exactly what makes these tools dangerous. Because one day, that extension you haven’t thought about in years pushes a silent update — and suddenly your browser is injecting affiliate links into every page you visit.

The Playbook: Open Source to Ad Machine

The pattern is almost boringly consistent at this point. A developer builds a useful open-source extension. It hits a few million installs. The developer moves on, loses interest, or gets an offer they can’t refuse. Ownership transfers. The new owner flips the code to closed source and quietly injects ad SDKs or tracking scripts.

From your perspective, nothing changes. Same name, same icon, same core functionality. What’s different is invisible: affiliate links injected into web pages, search results manipulated, browsing data shipped to third parties. The extension you trusted three years ago is now a completely different piece of software wearing familiar clothes.

Chrome Web Store’s Blind Spot

The root of the problem is how the Chrome Web Store handles ownership transfers. When an extension changes hands, users get no notification. The review count, install numbers, and star ratings carry over intact. The new owner inherits a fully built trust profile they did nothing to earn.

Google has made efforts to limit extension capabilities through the Manifest V3 transition. But the fundamental issue isn’t about permission scope — it’s about trust continuity. There is effectively no way to verify whether the developer you trusted years ago is the same entity controlling the code today. The Web Store treats identity as a mutable property while presenting trust metrics as if they’re permanent.

Small Tools, Big Attack Surface

Here’s the irony: the simpler the extension, the more dangerous this pattern becomes. JSON formatters, color pickers, tab managers — these are prime targets for three reasons.

First, they’re invisible after installation. You actively monitor your password manager or VPN extension. A formatter? You forgot it was there by lunchtime on install day.

Second, their permission requests look completely reasonable. A JSON formatter needs “read data on all websites” to do its job. That same permission is all an adware payload needs to do its job too.

Third, the sheer number of alternatives kills community accountability. When one goes bad, most people just uninstall and grab another. There’s no outrage cycle, no sustained pressure for the Web Store to act. The problem quietly migrates to the next popular extension.

“Open Source” Is Not a Safety Guarantee

The instinct to trust open-source software is usually sound. But in the extension ecosystem, it breaks down at a critical juncture: the moment a project goes from open to closed source. The GitHub repo gets archived or deleted. The build published to the Chrome Web Store becomes unverifiable.

There is no official mechanism to confirm that a published .crx file actually matches any public source code. Without reproducible builds — something the Web Store does not require — the “open source” label is a snapshot of a moment in time, not an ongoing guarantee. It gave you confidence at install time. It means nothing two ownership transfers later.

What You Can Actually Do

There’s no perfect fix, but a few habits meaningfully reduce your exposure.

Audit your extensions regularly. Go to chrome://extensions and ask one question about each entry: “Am I still actively using this?” If the answer is no, don’t disable it — delete it. Every idle extension is attack surface you’re carrying for free.

Pay attention to permission change prompts. Chrome automatically disables extensions that request new permissions. When that dialog pops up, don’t reflexively click “Allow.” Ask why a JSON formatter suddenly needs access to your browsing history.

Consider replacing simple extensions with built-in tools. For JSON formatting, your browser’s DevTools console handles it fine with JSON.parse and JSON.stringify. One fewer extension is one fewer trust dependency.

Browser extensions sit on top of the software you use more than anything else, making them a supply chain in the most literal sense. Yet the trust model underpinning that supply chain is shockingly thin. High ratings and millions of installs don’t signal safety — they signal exactly how valuable that extension is as a target. When was the last time you actually looked at what’s installed in your browser?