Malicious JetBrains Plugins Steal AI API Keys from Developers

At least 15 malicious plugins have been discovered on the JetBrains Marketplace, specifically designed to exfiltrate AI API keys from developers. The plugins, which masqueraded as legitimate tools, targeted users building or integrating AI-powered applications, exposing sensitive authentication credentials.

The campaign's scale remains uncertain, but the presence of over a dozen rogue plugins suggests a coordinated effort. Developers who installed any of the malicious plugins face immediate risk of API key compromise, potentially granting unauthorized access to AI services and billing accounts. Active exploitation has not been confirmed, but the stolen keys could enable credential theft or service abuse.

Technical analysis indicates the plugins used obfuscated code to evade detection, siphoning API keys silently during routine development tasks. Indicators of compromise include unexpected network traffic to external servers or unusual billing spikes on AI platform accounts. Researchers urge developers to review installed plugins and monitor API usage logs for anomalies.

Mitigation requires immediate removal of any suspected malicious plugins and rotation of all AI API keys. JetBrains has been notified and is reviewing the marketplace listings, but no official patch or fix has been issued as of now. Developers should also audit their IDE extensions regularly.

The attack highlights growing supply chain vulnerabilities in developer tools, where trust in a plugin marketplace can be exploited. Attribution is unclear, but the targeting of AI API keys suggests a financially motivated adversary focused on leveraging developer infrastructure for illicit access.