jkl5xxJSON Formatter Chrome Plugin Now Closed and Injecting Adware
Noticed a suspicious element called give-freely-root-bcjindcccaagfpapjjmafapmmgkkhgoa in the chrome inspector today.
Turns out about a month ago, the popular open source [JSON Formatter chrome extension](https://chromewebstore.google.com/detail/json-formatter/bcji...) went closed source and started injecting adware into checkout pages. Also seems to be doing some geolocation tracking.
I didn't see this come up on hn, so I figured I'd sound the alarm for all the privacy-conscious folks here.
At this point, I feel like browser extension marketplaces are a failed experiment. I can just vibecode my own json pretty-printer extension and never deal with this problem again.
> I feel like browser extension marketplaces are a failed experiment.
People rightly criticize all of the problems around vendor-lock-in and rent-seeking with platform app stores, but this is a good example that they do indeed provide some value in terms of filtering out malware.
The degree to which they are successful at that and add enough value to overcome the downsides is an open question. But it's clear that in a world where everyone is running hundreds of pieces of software that have auto-update functionality built in and unfettered access to CPU power and the Internet, uncontrolled app stores a honeypot for malicious actors.
> People rightly criticize all of the problems around vendor-lock-in and rent-seeking with platform app stores, but this is a good example that they do indeed provide some value in terms of filtering out malware.
But browser extension marketplaces aren't a free-for-all; they're exactly like the platform app stores in all the bad ways.
Whatever value they provide is completely and totally irrelevant compared to giving Microsoft, Google, and Apple the unilateral discretion to end any software developer's career, or any software development business, by locking them out of deploying software with no recourse. Nobody has a problem with optional value-add stores, but all three have or are moving towards having complete control of software distribution on the hardware platforms used by billions of people.
This also ignores that mobile phones are now being used as an effective botnet. Just gotta get some poor devs to include your SDK and off you go.
AI companies make use of these botnets quite a bit as well. Why don't we hear more about it? because it is really really really hard to inspect what is actually happening on your phone. This post actually kinda disproves that the closed rent seeking model is better in any way.