In 2017, companies globally spent $80B on digital advertising—web pages and mobile apps—delivering ads to billions of users, trillions of times. The majority of these ads were rendered in JavaScript environments. Technically, the challenge for JS developers is to instantaneously find the perfect match between an advertiser and a user, regardless of the website, app, or user profile. This is fun. But economically, we’ve been incentivized to create a global delivery mechanism for arbitrary code onto every connected device, without a care for user experience. It’s the world’s largest, and spammiest, Trojan Horse, and JS developers created it. (1) Construction — What does this Trojan Horse look like at a technical level? This section covers JavaScript constructs that are really unique to ad-tech, including the rise and anatomy of the “ad tag”, creating sandboxes for arbitrary markup, cookie tracking and pixel syncing, and the impression beacon. (2) Payload — What kinds of undesirable things are being delivered to publisher properties, and onto our devices? This section goes beyond specific examples of ad quality issues, sniffing, tracking, and malware, also looking at a longer-term invasion happening beneath our feet: have content creators begun trading clicks for a kind of dystopian digital future where ad blockers are simply common sense? (3) Inversion — What can we as JS developers do about all this? This section argues that we have the power to change ad technology from a Trojan Horse into a powerful message delivery system, one that allows the coexistence of free content, advertising, and delightful user experiences. Ethical and optimistic developers will be the Trojan Horse inside the Trojan Horse.