The JSON Formatter Adware Incident Is a Chrome Extension Trust Problem, Not an Isolated Case
Source: hackernews
The JSON Formatter extension built by Callum Locke was, for years, on nearly every developer’s must-install list. It did one thing well: intercept raw JSON responses in the browser and render them as collapsible, color-coded trees instead of an unreadable wall of text. The GitHub repo sits at thousands of stars, the Chrome Web Store listing accumulated millions of installs, and the extension appeared in countless “essential dev tools” roundups.
Now it’s injecting adware. The HackerNews thread surfaced users reporting affiliate link injection, modified prices on retail pages, and unexpected network requests, all delivered silently via Chrome’s auto-update mechanism to an installed base built on years of legitimate, trustworthy behavior.
This is not surprising. It is the predictable endpoint of a structural problem in how browser extension distribution works.
The Mechanics
The original GitHub repository has been archived, meaning Callum Locke stopped actively maintaining it some time ago. That’s a normal, reasonable thing for a developer to do with a side project they no longer use. The problem is the asymmetry between the GitHub repo (the source of truth, now read-only and quiet) and the Chrome Web Store listing (still live, still trusted, still pushing updates to millions of browsers).
When a developer loses interest in an extension, the Chrome Web Store account associated with that extension does not lose interest. It stays active. It can push updates. And if that account is either sold deliberately or compromised by credential theft, whoever controls it can push whatever code they want to every user who has the extension installed, with no notification beyond the ordinary silent background update Chrome performs constantly.
The extension’s original permissions made this particularly clean for an adware operator. JSON Formatter legitimately needed <all_urls> host access, because rendering JSON works on any URL returning a JSON content type. Those permissions were appropriate for the original use case. Once the extension was compromised, those same permissions became an open door: read every page, modify every page, intercept every navigation. No new permission prompt was required because the permissions were already granted.
This Pattern Has a History
The most widely discussed precedent is The Great Suspender, a tab-suspension extension with millions of users that original developer Dean Oemcke sold in mid-2020. The new owner gradually introduced obfuscated tracking and data harvesting code. Security researchers documented the malicious additions in detail. Google eventually removed the extension from the Chrome Web Store and force-disabled it in users’ browsers in February 2021, the kind of drastic action Chrome takes rarely enough that the warning message surprised many users who had no idea their browser could do that.
Before that, there was Stylish, a custom CSS injection extension with two million users that was acquired by SimilarWeb and began logging the full URL of every page visited. The data collection was disclosed in a privacy policy update, but buried well enough that nearly no one noticed. Researcher Robert Heaton documented the exfiltration in detail; both Google and Firefox removed the extension.
In 2019, journalist and security researcher Sam Jadali documented DataSpii, a family of extensions harvesting detailed browsing data from tens of millions of users, including Hover Zoom+ and SpeakIt!. The data was being sold to analytics companies. Jadali’s reporting was meticulous, involving fake decoy URLs and careful traffic analysis to trace the exfiltration path.
In 2020, Nano Adblocker and Nano Defender were sold to a Turkish developer who added code to silently interact with social media posts on behalf of users. The new owner’s additions were noticed within days by community members who compared the new extension code against the previous version.
The JSON Formatter situation sits in the same category. The specific mechanism varies from case to case, whether credential theft, deliberate sale, or a seemingly legitimate transfer to a new maintainer. The outcome is consistent.
What the Chrome Web Store Does Not Do
Google permits ownership transfers of Chrome Web Store listings without any requirement to notify users. When a publisher account changes hands, existing installs continue auto-updating, and nothing in the browser’s UI surfaces the change. There is no equivalent of a WHOIS transfer notification, no flag in the extension management page showing that the listed developer has changed.
When malicious functionality is added within the scope of already-granted permissions, no new permission prompt is triggered. A user who granted <all_urls> access years ago when installing a legitimate tool receives no warning when the extension’s new controller starts using those permissions for adware.
Manifest V3, Google’s contested overhaul of the Chrome extension API, addressed some of the mechanisms that made extensions dangerous in earlier incarnations. Remote code execution via eval() is blocked under MV3, and the network request interception model changed in ways that limit certain attack patterns. But MV3 does not prevent adware injection via DOM manipulation, affiliate link replacement, or data exfiltration, all of which can be accomplished within the permissions a legitimate extension already holds. The debate around MV3 focused heavily on ad blocking capabilities, but the extensions-as-adware-vector problem it does not solve is arguably more pressing.
What a Developer Should Do With Their Extensions
If you built a Chrome extension and you no longer want to maintain it, a few options are better than abandonment:
- Remove it from the Chrome Web Store entirely. This forces existing users to uninstall it rather than leaving them silently exposed.
- Publish a final update that displays a deprecation notice and removes all sensitive permissions.
- If you want to transfer it to new maintainers, vet them seriously. The incoming offer emails from extension brokers are not job applications from well-meaning community members.
- Archive the GitHub repo by all means, but understand that archiving the source repository does not decommission the distribution channel.
The CWS listing is a live weapon as long as it has publisher permissions. Treating it like a forgotten GitHub project is the mistake.
What a Developer Should Do as a User
For extensions already installed, a few checks are worth running:
# In Chrome, navigate to:
chrome://extensionsFor each extension, look at the permissions listed, check when it was last updated, and compare the listed developer name against what you remember installing. Tools like Chrome Extension Source Viewer let you read the extension’s actual JavaScript code directly from the CWS listing without installing it. A sudden addition of network request handlers or DOM mutation code in an extension that previously did something narrow and contained is worth paying attention to.
For JSON formatting specifically, alternatives worth considering include JSON Viewer, JSONVue, or simply relying on Firefox’s built-in JSON viewer, which has been solid for years without any third-party extension required.
More broadly: remove extensions you do not use actively. Every installed extension is a persistent background process with whatever permissions it was granted at install time. An extension installed in 2018 that you have not thought about since is not a neutral bystander.
The Underlying Problem
Browser extensions are an unusual piece of software. They are installed once, trusted immediately, and then forgotten. Unlike a web app, there is no login page you revisit that might look different if something changed. Unlike a native application, updates are silent and automatic with no patch notes in sight.
The Chrome Web Store’s design optimizes for the initial install experience: a clean listing, a clear description, a permission prompt. It puts almost no infrastructure around what happens to an extension’s ownership over the years after install, during the long tail when millions of users have the extension running and the original developer has moved on.
The JSON Formatter adware incident will not be the last one. The economics are too favorable: popular developer tools with broad host permissions, installed by technically sophisticated users who browse high-value pages (GitHub, AWS consoles, payment systems, internal tools), are worth real money to operators willing to pay for the publisher account. Until the Chrome Web Store builds meaningful safeguards around ownership transfers and requires user notification when a listing changes hands, this pattern will keep recurring on a predictable schedule.