The discovery of malicious JetBrains Marketplace plugins designed to steal Al API keys highlight a growing reality for developers: attackers are increasingly targeting the tools and integrations that power Al-assisted software development. Rather than exploiting a vulnerability in the IDE itself, these plugins abused the trust developers place in third-party extensions and the valuable credentials they manage. Al API keys are quickly becoming high-value targets because they provide both access to powerful Al services and, in some cases, pathways to sensitive code, data, and development workflows.
You can get an overview of the campaign here: Multiple JetBrains IDE plugins caught stealing AI keys
Yagub Rahimov, CEO, Polygraf AI had this to say:
“These two stories are the two sides of the same coin. They have different attack surface, but the same target, which is the AI tooling people now trust by default. The plugins steal the keys that pay for the models, whereas the extensions steal what’s actually being said to them.
The plugin malware works because the plugin does everything it promises (chat, commit messages, code review, etc), which is why it’s not being paid attention to. The theft is invisible because the product is real. The “innovation” here is the resale part – stolen keys get sold back through a donation wall while the original developer keeps paying the bill.
The extension side is more invisible – both extensions had been legitimate ad blockers before the AI interception was slipped in through an update. The tool you vetted 2 years ago isn’t the tool running today. And what leaks isn’t something you can rotate, like a password. It’s the full content of what people paste into it.
Both attacks use the same blind spot. The market was always securing the network, the endpoint, the identity layer, but existing tools see an HTTPS request, not that a contract is being pasted into a chatbot or an API key is being forwarded to an unknown server. Nobody is watching the AI interaction layer at the semantic level. What actually flows into these tools and what comes back out. That’s what shaping our approach at Polygraf AI – governing the input and output of every AI interaction in real time, rather than assuming a tool is safe because it looked legit on install day”
Developers need to check their code to see if they are using plug ins that are untrusted. If they are lucky, someone will point it out to them. If not, then it is a safe bet that someone with totally pwn them.
Related
This entry was posted on June 17, 2026 at 1:34 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Malicious JetBrains plugins show Al credentials are becoming a prime target
The discovery of malicious JetBrains Marketplace plugins designed to steal Al API keys highlight a growing reality for developers: attackers are increasingly targeting the tools and integrations that power Al-assisted software development. Rather than exploiting a vulnerability in the IDE itself, these plugins abused the trust developers place in third-party extensions and the valuable credentials they manage. Al API keys are quickly becoming high-value targets because they provide both access to powerful Al services and, in some cases, pathways to sensitive code, data, and development workflows.
You can get an overview of the campaign here: Multiple JetBrains IDE plugins caught stealing AI keys
Yagub Rahimov, CEO, Polygraf AI had this to say:
“These two stories are the two sides of the same coin. They have different attack surface, but the same target, which is the AI tooling people now trust by default. The plugins steal the keys that pay for the models, whereas the extensions steal what’s actually being said to them.
The plugin malware works because the plugin does everything it promises (chat, commit messages, code review, etc), which is why it’s not being paid attention to. The theft is invisible because the product is real. The “innovation” here is the resale part – stolen keys get sold back through a donation wall while the original developer keeps paying the bill.
The extension side is more invisible – both extensions had been legitimate ad blockers before the AI interception was slipped in through an update. The tool you vetted 2 years ago isn’t the tool running today. And what leaks isn’t something you can rotate, like a password. It’s the full content of what people paste into it.
Both attacks use the same blind spot. The market was always securing the network, the endpoint, the identity layer, but existing tools see an HTTPS request, not that a contract is being pasted into a chatbot or an API key is being forwarded to an unknown server. Nobody is watching the AI interaction layer at the semantic level. What actually flows into these tools and what comes back out. That’s what shaping our approach at Polygraf AI – governing the input and output of every AI interaction in real time, rather than assuming a tool is safe because it looked legit on install day”
Developers need to check their code to see if they are using plug ins that are untrusted. If they are lucky, someone will point it out to them. If not, then it is a safe bet that someone with totally pwn them.
Share this:
Like this:
Related
This entry was posted on June 17, 2026 at 1:34 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.