Chrome extensions are a supply chain risk - build your own instead

The JSON Formatter Chrome extension has over 2 million users. I was one of them for years. A few weeks ago it went closed-source, and shortly after, started injecting adware into web pages.

The extension was modifying the DOM on checkout pages, hijacking click and submit events to overlay donation popups. It was also running geolocation lookups against MaxMind's GeoIP2 API with a hardcoded key, profiling users by country so that people in high-income regions got more aggressive prompts. For something that was supposed to format JSON.

This is a supply chain problem, and it keeps happening.

Chrome extensions are a trust problem

The pattern is well documented at this point. A popular extension with millions of installs gets sold or transferred to a new owner. The new owner pushes an update that adds tracking and ad injection. Sometimes it goes further into outright credential theft. Users get the update automatically and have no idea anything changed.

The JSON Formatter incident is almost tame by comparison. But it hit home because I had it installed. I trusted it. And I had no real way to know when the ownership changed or the code was modified.

What I did about it

Around the same time, Pieter Levels posted about replacing all his Chrome extensions with a single one he built himself using Claude Code. His reasoning was straightforward: if the code is yours, nobody can sell it to an ad company.

I liked the idea, so I did the same thing.

I sat down with Claude Code and built a Chrome extension from scratch. The whole thing took under an hour. The result is a single Manifest V3 extension that currently replaces JSON Formatter for me, and it is extensible so new features can be added easily.

The repo is public: github.com/seanhamlin/chrome-tweaks (not that I expect you to run this, but you can see what Claude can make with a little effort).

Why build your own instead of finding another extension

You could swap JSON Formatter for another extension. There are plenty of alternatives. But that misses the point. Every third-party extension you install is a bet that the current maintainer will stay honest, won't sell it, and won't get phished. You're making that bet for every extension, and Chrome will silently auto-update them all.

Building your own means:

• You control the code. No surprises in the next update.
• You only include the permissions you actually need.
• You can combine several small utilities into one extension instead of running five separate ones with five separate attack surfaces.

Getting started with your own extension

If you have Claude (or any decent AI coding tool), this is a good afternoon project. Chrome extensions are well documented by Google, and the structure is small enough that an LLM can generate the whole thing from a prompt.

Can u make a chrome extension for chrome called "Tab Tweaks" - this extension will grow in functionality over time, so ensure it is extensible. The current functionality should include:

* Able to inject a request header to every request. The default should be the Fastly debug header `Fastly-Debug:1`. The user should be allowed to edit this, and change it, or add another header.
* A button to scan the site in www.cachingscore.com. The current URL should be URL encoded, and a new tab opened to point to `https://www.cachingscore.com/scan?q=https%3A%2F%2Fwww.example.com%2F&followRedirects=on` (replace the example URL).

Claude generated the manifest, the content script, and the CSS. I reviewed it, tested it, tweaked it, loaded it as an unpacked extension in chrome://extensions, and it worked.

Audit your extensions

Open chrome://extensions right now and look at what you have installed. For each one, ask yourself:

• Do I actually use this?
• Who maintains it? Is it still the original author?
• What permissions does it have?
• Could I replace this with a simpler version?

You will probably find at least two or three extensions you forgot about. Remove them.

For the ones you keep, consider whether the functionality is simple enough to replicate yourself. A lot of developer-focused extensions (JSON formatters, cookie viewers) are doing things that a content script or devtools panel can do in under 100 lines.

My extension is at github.com/seanhamlin/chrome-tweaks if you want to see how it is structured, but the real suggestion is to build your own. You will trust it more than anything in the Chrome Web Store.