The discovery of malicious JetBrains Marketplace plugins designed to steal Al API keys highlight a growing reality for developers: attackers are increasingly targeting the tools and integrations that power Al-assisted software development. Rather than exploiting a vulnerability in the IDE itself, these plugins abused the trust developers place in third-party extensions and the valuable credentials they manage. Al API keys are quickly becoming high-value targets because they provide both access to powerful Al services and, in some cases, pathways to sensitive code, data, and development workflows.
You can get an overview of the campaign here: Multiple JetBrains IDE plugins caught stealing AI keys
Yagub Rahimov, CEO, Polygraf AI had this to say:
“These two stories are the two sides of the same coin. They have different attack surface, but the same target, which is the AI tooling people now trust by default. The plugins steal the keys that pay for the models, whereas the extensions steal what’s actually being said to them.
The plugin malware works because the plugin does everything it promises (chat, commit messages, code review, etc), which is why it’s not being paid attention to. The theft is invisible because the product is real. The “innovation” here is the resale part – stolen keys get sold back through a donation wall while the original developer keeps paying the bill.
The extension side is more invisible – both extensions had been legitimate ad blockers before the AI interception was slipped in through an update. The tool you vetted 2 years ago isn’t the tool running today. And what leaks isn’t something you can rotate, like a password. It’s the full content of what people paste into it.
Both attacks use the same blind spot. The market was always securing the network, the endpoint, the identity layer, but existing tools see an HTTPS request, not that a contract is being pasted into a chatbot or an API key is being forwarded to an unknown server. Nobody is watching the AI interaction layer at the semantic level. What actually flows into these tools and what comes back out. That’s what shaping our approach at Polygraf AI – governing the input and output of every AI interaction in real time, rather than assuming a tool is safe because it looked legit on install day”
Developers need to check their code to see if they are using plug ins that are untrusted. If they are lucky, someone will point it out to them. If not, then it is a safe bet that someone with totally pwn them.
UPDATE: Yogita Parulekar, CEO, Invi Grid is the first to add commentary:
“The JetBrains Marketplace exposure illustrates a new category of business risk. Unlike a traditional breach, a stolen AI API key grants unauthorized access to billable infrastructure – attackers don’t just exfiltrate data, they resell your AI access while your quota depletes in real time. The financial impact accumulates silently, often weeks before any alert fires.
“We see this pattern repeatedly: organizations with no visibility into AI spend consumption, blindsided by five-figure bills and compromised pipelines. The root cause is governance architecture that was never designed for AI – fragmented tools covering security, budget, and operations in isolation.
“The organizations that navigate this threat successfully treat AI governance as a business continuity need and an end-to-end discipline that addresses the full surface: spend controls, kill switches, real-time alerting, and continuous security oversight – purpose-built for the way AI infrastructure actually operates.”
John Strand, Owner, Black Hills Information Security, Inc. adds this:
“Supply chain attacks are accelerating at a pace that should concern every security leader. Organizations need to strengthen change management processes and begin collecting network telemetry today. If you don’t have Zeek or similar visibility at the edge of your environment, you need a plan to get there quickly.
“The ability to hunt for suspicious outbound communications and identify compromised software behavior is becoming critical. The future of defense cannot rely solely on endpoint protection. Without network visibility and threat hunting, organizations will increasingly find themselves blind to some of the most dangerous attacks they’re likely to face.”
Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, Suzu Labs has this:
“Fifteen plugins stole AI API keys from the JetBrains Marketplace for eight months. Nobody was hunting developer workstations. Organizations run threat detection on production systems and leave developer tooling entirely out of scope.
“The VS Code marketplace went from zero documented supply chain campaigns in 2024 to seven in 18 months. JetBrains was next in line. Marketplace review checks whether a plugin works, not where it sends your credentials. JetBrains tested binary compatibility and basic functionality; outbound network destination verification was never in scope.
“Most organizations perform vendor reviews for SaaS platforms but let developers install IDE extensions with zero oversight. These plugins run with full access to source code, credentials, and AI API keys worth real money. Treat them like vendors: full inventory, allowlisting, zero-trust posture.
“The safer path for AI coding capabilities is building them in-house rather than pasting API keys into every third-party plugin that claims to need them. Marketplace review was never designed to distinguish an HTTP POST to api.openai.com from one to an attacker-controlled server. Eight months of undetected exfiltration proves the point.”
Related
This entry was posted on June 17, 2026 at 1:34 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Malicious JetBrains plugins show Al credentials are becoming a prime target
The discovery of malicious JetBrains Marketplace plugins designed to steal Al API keys highlight a growing reality for developers: attackers are increasingly targeting the tools and integrations that power Al-assisted software development. Rather than exploiting a vulnerability in the IDE itself, these plugins abused the trust developers place in third-party extensions and the valuable credentials they manage. Al API keys are quickly becoming high-value targets because they provide both access to powerful Al services and, in some cases, pathways to sensitive code, data, and development workflows.
You can get an overview of the campaign here: Multiple JetBrains IDE plugins caught stealing AI keys
Yagub Rahimov, CEO, Polygraf AI had this to say:
“These two stories are the two sides of the same coin. They have different attack surface, but the same target, which is the AI tooling people now trust by default. The plugins steal the keys that pay for the models, whereas the extensions steal what’s actually being said to them.
The plugin malware works because the plugin does everything it promises (chat, commit messages, code review, etc), which is why it’s not being paid attention to. The theft is invisible because the product is real. The “innovation” here is the resale part – stolen keys get sold back through a donation wall while the original developer keeps paying the bill.
The extension side is more invisible – both extensions had been legitimate ad blockers before the AI interception was slipped in through an update. The tool you vetted 2 years ago isn’t the tool running today. And what leaks isn’t something you can rotate, like a password. It’s the full content of what people paste into it.
Both attacks use the same blind spot. The market was always securing the network, the endpoint, the identity layer, but existing tools see an HTTPS request, not that a contract is being pasted into a chatbot or an API key is being forwarded to an unknown server. Nobody is watching the AI interaction layer at the semantic level. What actually flows into these tools and what comes back out. That’s what shaping our approach at Polygraf AI – governing the input and output of every AI interaction in real time, rather than assuming a tool is safe because it looked legit on install day”
Developers need to check their code to see if they are using plug ins that are untrusted. If they are lucky, someone will point it out to them. If not, then it is a safe bet that someone with totally pwn them.
UPDATE: Yogita Parulekar, CEO, Invi Grid is the first to add commentary:
“The JetBrains Marketplace exposure illustrates a new category of business risk. Unlike a traditional breach, a stolen AI API key grants unauthorized access to billable infrastructure – attackers don’t just exfiltrate data, they resell your AI access while your quota depletes in real time. The financial impact accumulates silently, often weeks before any alert fires.
“We see this pattern repeatedly: organizations with no visibility into AI spend consumption, blindsided by five-figure bills and compromised pipelines. The root cause is governance architecture that was never designed for AI – fragmented tools covering security, budget, and operations in isolation.
“The organizations that navigate this threat successfully treat AI governance as a business continuity need and an end-to-end discipline that addresses the full surface: spend controls, kill switches, real-time alerting, and continuous security oversight – purpose-built for the way AI infrastructure actually operates.”
John Strand, Owner, Black Hills Information Security, Inc. adds this:
“Supply chain attacks are accelerating at a pace that should concern every security leader. Organizations need to strengthen change management processes and begin collecting network telemetry today. If you don’t have Zeek or similar visibility at the edge of your environment, you need a plan to get there quickly.
“The ability to hunt for suspicious outbound communications and identify compromised software behavior is becoming critical. The future of defense cannot rely solely on endpoint protection. Without network visibility and threat hunting, organizations will increasingly find themselves blind to some of the most dangerous attacks they’re likely to face.”
Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, Suzu Labs has this:
“Fifteen plugins stole AI API keys from the JetBrains Marketplace for eight months. Nobody was hunting developer workstations. Organizations run threat detection on production systems and leave developer tooling entirely out of scope.
“The VS Code marketplace went from zero documented supply chain campaigns in 2024 to seven in 18 months. JetBrains was next in line. Marketplace review checks whether a plugin works, not where it sends your credentials. JetBrains tested binary compatibility and basic functionality; outbound network destination verification was never in scope.
“Most organizations perform vendor reviews for SaaS platforms but let developers install IDE extensions with zero oversight. These plugins run with full access to source code, credentials, and AI API keys worth real money. Treat them like vendors: full inventory, allowlisting, zero-trust posture.
“The safer path for AI coding capabilities is building them in-house rather than pasting API keys into every third-party plugin that claims to need them. Marketplace review was never designed to distinguish an HTTP POST to api.openai.com from one to an attacker-controlled server. Eight months of undetected exfiltration proves the point.”
Share this:
Like this:
Related
This entry was posted on June 17, 2026 at 1:34 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.