JSON formatter Chrome plugin now closed and injecting adware

Original Article ↗ Hacker News Discussion ↗

Extension turned adware / behavior change

  • Popular JSON formatting Chrome extension went closed source and began injecting third‑party UI into retail checkout pages, described as adware and geolocation/analytics tracking.
  • Some users noticed a new DOM root element on unrelated sites (including localhost), leading them to trace it back to the extension.
  • A different JSON formatter extension responded on the Chrome Store claiming it had only “analytics experiments” and rolled them back, but commenters clarified this was not the same one being discussed.
  • The new affiliate/donation system (“Give Freely”) is framed by its integrator as optional, anonymous, charity‑funded affiliate fees that can be disabled. Commenters still characterize it as intrusive adware.

Trust, betrayal, and monetization pressure

  • Many see this as a betrayal of long‑term users, especially given earlier public assurances that no tracking would ever be added.
  • Others emphasize financial pressure on maintainers, and note constant offers to buy or “monetize” popular extensions, sometimes with very attractive revenue claims.
  • There is debate over whether this is understandable monetization or clearly unethical behavior; most agree the implementation is deceptive.

Extension permissions and security model

  • Multiple comments argue WebExtension permissions are effectively broken: a JSON formatter needing DOM read/write access ends up with power to inject arbitrary scripts on all sites.
  • The generic permission wording (“read and change all your data on all websites”) is seen as dangerously understated.
  • Some defend Manifest V3 as a security improvement, others argue it weakens state‑of‑the‑art ad blocking while not preventing this kind of abuse.

Marketplace governance and auto‑updates

  • Strong sentiment that browser extension stores are failing at malware detection and abuse prevention, despite strict control and rent‑seeking.
  • Auto‑updates are called a “socially accepted RCE backdoor”: a benign extension can turn malicious overnight without user consent.
  • Some propose stricter review for extensions with broad host permissions, open‑source + reproducible builds, or disabling auto‑updates by default.

Coping strategies and alternatives

  • Many report uninstalling most extensions, or only trusting a very small set (notably ad blockers).
  • Several suggest building their own ultra‑minimal extensions or user scripts, sometimes with help from LLMs (“vibecoding”).
  • Others recommend using browsers with built‑in JSON viewers and fewer add‑ons, or installing local unpacked extensions from source.
  • Anecdotes about other compromised extensions and a long‑trusted QR app turning into malware reinforce that this is seen as part of a broader, worsening pattern.