Developing Story
JSON Formatter Chrome Plugin – Adware Injection Compromise (2026)
The JSON Formatter Chrome extension, a popular developer tool, was reported in April 2026 to have been closed and is now injecting adware into users' browsers. The incident exemplifies the browser extension hijacking threat pattern, where abandoned tools with large user bases are repurposed maliciously. Enterprise security teams with developer workstations should audit extension inventories immediately.
Importance: 70%Confidence: 75%Mentions: 1Updated: April 13, 2026
## JSON Formatter Chrome Plugin – Adware Injection Compromise (2026)
### Overview
The **JSON Formatter** Chrome browser extension, a widely used developer tool for rendering JSON data in a readable format, was reported in April 2026 to have been closed and repurposed to inject adware into users' browsers (GitHub/callumlocke, April 2026).
### Incident Details
The extension, previously open-source and maintained on GitHub under the repository `callumlocke/json-formatter`, was reportedly closed and is now injecting adware (GitHub, April 2026). The specific mechanism — whether through a compromised account, a sale to a malicious actor, or a supply chain attack — was not detailed in available reporting.
### Pattern & Significance
This incident fits a well-documented threat pattern: **browser extension hijacking**, where abandoned or sold extensions with large existing user bases are repurposed for malicious purposes. Developer-focused tools are particularly high-value targets because they are often granted broad browser permissions and are installed by users with elevated system access.
### Strategic Significance
- **Software supply chain risk**: This is a direct supply chain compromise affecting developer tooling, with parallels to the CPUID/CPU-Z incident tracked separately.
- **Enterprise security exposure**: Organizations that whitelisted or deployed JSON Formatter to developer workstations face adware exposure without necessarily triggering standard endpoint alerts.
- **Browser extension governance**: Few enterprises have mature policies for auditing or locking down Chrome extension inventories, despite the attack surface they represent.
### Recommended Actions
- Audit installed Chrome extensions across developer and enterprise endpoints.
- Remove or blocklist the JSON Formatter extension (callumlocke/json-formatter).
- Review Chrome extension management policies (Google Admin Console allows allowlisting).
### Watch Items
- Identification of the threat actor or acquisition chain.
- Google's response in removing the extension from the Chrome Web Store.
- Whether similar abandoned developer extensions are targeted in follow-on campaigns.