Is Your JSON Formatter Safe? The 2026 Developer Privacy Guide

In March 2026, the JSON Formatter Chrome extension — trusted by over two million developers — quietly turned rogue. Without a changelog entry or notification, it began injecting adware into checkout pages, tracking user geolocation, and phoning home to external analytics endpoints. Around the same time, cybersecurity researchers at watchTowr Labs published findings that JSONFormatter.org and CodeBeautify had accumulated over 80,000 files containing developer-pasted credentials: passwords, cloud keys, Active Directory tokens, and database connection strings.

If you regularly paste JSON into online tools — and most developers do — this guide covers what happened, what risks remain, and how to evaluate whether the tool you're using is actually safe.

What Happened to the JSON Formatter Chrome Extension

The JSON Formatter extension, originally built by Callum Locke and widely regarded as a gold-standard developer tool, transitioned from open-source to closed-source in early 2026. Shortly after, community reports surfaced on DEV Community and GitHub issues describing unusual behavior: the extension was injecting scripts into e-commerce checkout pages and communicating with api.givefreely.com and events.givefreely.com without user consent.

The extension's behavior amounted to browser-level adware:

• Geolocation tracking — user location captured and transmitted to third-party endpoints
• Checkout page injection — affiliate scripts injected at point of purchase without disclosure
• Silent telemetry — usage data collected without opt-in or meaningful consent notice

Because the extension operated with broad browser permissions (it had to, to pretty-print JSON across any tab), it had access to far more than just JSON data. An estimated 2+ million users were affected before the community response triggered removal discussions.

The incident followed a known pattern: a trusted open-source tool with broad permissions gets acquired or changes hands, and the new owner monetizes via behavior the original user base never consented to. For a tool that developers use while working with API responses, configuration files, and data pipelines, the implications go beyond adware annoyance.

The JSONFormatter.org and CodeBeautify Credential Leak

The Chrome extension was not an isolated event. In late 2025, watchTowr Labs disclosed that JSONFormatter.org and CodeBeautify — two of the most-used online JSON formatting services — had retained user-submitted data far beyond any reasonable session scope.

The dataset they captured included over 80,000 files spanning five or more years of submissions:

• Database credentials (PostgreSQL, MySQL, MongoDB connection strings)
• Cloud provider keys (AWS access keys, Azure SAS tokens, GCP service account JSON)
• Active Directory credentials and LDAP configurations
• Internal API keys from financial institutions, government agencies, and technology companies
• Repository authentication tokens

This happened because developers routinely paste real data into formatting tools. A developer debugging a production API response, cleaning up a config file, or verifying a webhook payload will copy-paste the actual payload — including any credentials embedded in it. If that tool transmits the data to a server and retains it, the data persists indefinitely.

Neither service had disclosed a breach. The data was simply there, collected through normal use, accessible to anyone with the right vantage point.

Why This Keeps Happening: The Architecture Problem

The root issue is architectural. Most online JSON tools process data server-side. When you click "Format" or "Repair," your JSON is sent to their server, formatted there, and returned to your browser. This approach is simple to build and easy to scale — but it creates an inherent data handling problem: every piece of JSON you submit passes through infrastructure you don't control.

Server-side JSON processing means:

• Your data is transmitted over the network (even over HTTPS, the server sees the plaintext)
• The tool operator can log, retain, or analyze everything you submit
• A vulnerability in their storage or a change in business incentives puts your data at risk
• There is no technical guarantee that data is deleted after formatting

This is not a criticism of any specific tool's stated policy. It is a structural reality. A tool that processes data server-side has the capability to retain it, regardless of what the privacy policy says.

Client-side processing eliminates this risk entirely. When JSON is parsed, validated, and formatted entirely within your browser — using JavaScript running locally — nothing is transmitted. The server never sees your data. There is nothing to retain, leak, or monetize.

How to Check If a JSON Tool Is Client-Side

You can verify this yourself without reading any documentation:

1. Open the tool in your browser
2. Open browser DevTools → Network tab
3. Paste JSON into the tool and trigger the operation (format, repair, validate)
4. Watch the Network tab — if requests fire to an external endpoint carrying your data, the tool is server-side

For a truly client-side tool, you will see zero outbound data requests when you format or repair JSON. The entire operation happens in memory within the browser tab.

A second verification: disconnect from the internet and retry. A client-side tool should work identically offline. A server-side tool will fail or return an error.

The Security Checklist for Choosing a JSON Tool

Before trusting a JSON formatter with real data, verify these five points:

1. Is processing client-side?

Check the Network tab as described above. No data should leave the browser during the format/repair operation. This is the single most important criterion for data safety.

2. Is the source code auditable?

Open-source tools allow community review. When the JSON Formatter Chrome extension went closed-source, it simultaneously became impossible to audit. Look for tools with public source code (GitHub links, MIT/Apache licenses). The closed-source transition was the first warning sign that community members missed.

3. Does the tool install browser extensions?

Browser extensions have access to far more than the tab you're using — they can read data across all tabs, inject scripts into any page, and communicate with external servers in the background. A standalone web tool with no extension requirement is always safer.

4. What does the privacy policy actually say about data retention?

Look specifically for language about server-side processing and data retention periods. "We do not store your data" means very little if the data is transmitted to their server at all — a logging misconfiguration, an infrastructure breach, or a change in ownership can expose what was never supposed to be stored.

5. Has the tool been independently reviewed?

Security disclosures, DEV Community posts, GitHub issues, and HackerNews discussions leave a public record. Search for the tool name alongside "privacy," "security," "data leak," or "adware" before trusting it with production data.

What Data Is Actually at Risk When You Format JSON

Developers rarely think of JSON formatting as a security-sensitive operation, but consider what JSON typically contains:

• API response payloads — often including authentication tokens, user IDs, or session data from the endpoint being debugged
• Configuration files — database URLs, third-party API keys, OAuth credentials
• Webhook payloads — from Stripe, GitHub, or other services, frequently including secrets in headers that get copied alongside the body
• LLM API responses — which may include user prompts, conversation history, or data the model was asked to process
• Internal service responses — from microservices that assume internal-only access and include data they would never expose externally

Any of this data, submitted to a server-side tool, passes through infrastructure you don't control. The JSONFormatter.org dataset that watchTowr Labs found included production database credentials from banking and government organizations — almost certainly pasted by developers debugging real systems.

Safe JSON Tools in 2026

For formatting and validation:

aijsonmedic.com — Client-side JSON repair and validation. JSON is parsed entirely in your browser using local JavaScript; nothing is transmitted to the server. Supports advanced validation with JSON Schema, automatic repair of malformed JSON, and handles LLM output patterns (trailing commas, single quotes, truncated arrays). No account required, no extensions. jq (terminal) — The command-line standard for JSON processing. Runs locally, no network access, open-source. cat data.json | jq '.' is the safest possible formatter for sensitive data. For developers comfortable in the terminal, this is the default recommendation for any sensitive payload. VS Code + built-in formatter — Format JSON locally with Shift+Alt+F (or Cmd+Shift+P → Format Document). No external requests. Works offline. The Prettier extension adds additional formatting options without transmitting data. JSON Editor Online (client-side mode) — Offers a client-side option. Verify the Network tab for any specific operation you use.

For comparison of tools including repair capabilities, see Best JSON Repair Tools 2026.

What to Do If You've Used an Affected Tool

If you have pasted sensitive data into a server-side JSON tool, treat that data as potentially compromised:

1. Rotate any API keys or tokens you may have pasted — assume they have been logged
2. Audit recent uses — check your git history, browser history, or clipboard manager for what you copied around times you used those tools
3. Update database credentials if connection strings were formatted through any online tool
4. Review cloud provider access logs for any suspicious activity on keys that may have been exposed

This is conservative advice. The probability of active exploitation from a formatter-logged key is lower than a direct breach. But the cost of rotating credentials is low, and the exposure window is unknown. For keys with broad permissions, rotation is the right call.

The Broader Lesson: Developer Tools Have Broad Access

The JSON Formatter incident illustrates a category of risk that developers underweight: the tools used during development often have more access than the systems being built.

A browser extension that runs on every page sees every page. A server-side formatter that processes API responses sees API responses from every service a developer debugs. A code beautifier that stores submissions accumulates a complete picture of the systems a development team works with.

Applying the same security evaluation you would apply to a third-party library or API to the developer tools you use every day — especially browser-based ones — is not paranoia. It is appropriate due diligence.

For JSON-specific workflows: prefer client-side tools, verify with the Network tab, and treat anything pasted into an online tool as potentially logged. The fix invalid JSON workflow on aijsonmedic happens entirely in your browser — your data never leaves the tab.

---

Frequently Asked Questions

Is aijsonmedic safe to use with real API responses?

Yes. aijsonmedic processes all JSON locally in your browser. No data is transmitted to our servers during repair, validation, or formatting. You can verify this yourself: open DevTools → Network tab, paste JSON and click Repair — no outbound data requests will fire. The tool also works offline.

What happened to the JSON Formatter Chrome extension?

The JSON Formatter Chrome extension (developed by Callum Locke, extension ID bcjindcccaagfpapjjmafapmmgkkhgoa) went closed-source in early 2026 and was subsequently found to be injecting adware into checkout pages and tracking user geolocation via third-party endpoints (givefreely.com). Over 2 million users were affected. Community documentation of the incident is available on DEV Community and in GitHub discussions on the original repository.

Did JSONFormatter.org have a data breach?

JSONFormatter.org and CodeBeautify were not breached in the traditional sense — no attacker broke in. Rather, watchTowr Labs researchers found that data submitted by users over multiple years had been retained and was accessible. The dataset included over 80,000 files containing passwords, API keys, cloud credentials, and database connection strings from organizations across finance, government, and technology sectors. The finding was reported by The Hacker News and BleepingComputer.

How can I verify if a JSON tool is client-side?

Open DevTools → Network tab before pasting any data. Paste your JSON and trigger the formatting or repair operation. If the tool is truly client-side, no outbound requests carrying your data will appear. You can also disconnect from the internet — a client-side tool will continue working offline. A server-side tool will fail.

Is jq safe for sensitive JSON data?

Yes. jq is a local command-line tool. It runs entirely on your machine with no network access. It is the most secure option for processing sensitive JSON data and is the industry standard for production scripts and pipelines.

Which online JSON formatters should I avoid?

Avoid any tool that processes data server-side (verifiable via DevTools Network tab), any tool distributed as a browser extension with broad permissions, and any tool that has gone closed-source without explanation. Based on public disclosures as of 2026, JSONFormatter.org, CodeBeautify, and any derivatives of the affected JSON Formatter Chrome extension should be treated with caution for sensitive data.