Cybersecurity
Malicious JetBrains AI Plugins Are Stealing API Keys: What Engineering Teams Should Do Now
The interesting part of this JetBrains plugin story is not only that malware reached a popular marketplace. It is that the payload is aimed directly at developer secrets and AI workflow trust. According to Aikido Security, at least 15 JetBrains Marketplace plugins posed as useful AI coding assistants while quietly exfiltrating API keys entered by the user. For engineering teams that are standardizing on AI-assisted development, that turns a convenience tool into a credential theft channel inside the IDE itself.
The reported plugins offered exactly the kind of features developers expect today: AI chat, code review, commit message generation, bug finding and unit test help. They worked as advertised, which is what makes the campaign operationally dangerous. Teams are more likely to trust a tool that appears useful than one that breaks immediately. In this case, the AI provider keys entered into the plugin were allegedly sent in plaintext over HTTP to attacker-controlled infrastructure.
Why this matters beyond one plugin incident
Developer environments now contain a concentration of high-value assets: source code, cloud credentials, signing keys, internal architecture context and paid AI provider access. Threat actors do not need domain admin first if they can quietly collect secrets from the workstation where real software gets built. A malicious IDE plugin is effectively a privileged dependency with UI trust and routine access to developer behavior.
- The target is not only a browser session but the developer workstation itself.
- Stolen AI provider keys can become direct financial abuse and indirect data exposure risk.
- Plugins that work normally are harder for users to distrust or report quickly.
- The campaign reinforces that marketplace trust is not the same as security review.
What researchers reported
The campaign reportedly used multiple similarly built plugins that imitated DeepSeek and other AI assistants. Users were instructed to enter API keys for providers such as OpenAI, SiliconFlow or DeepSeek in order to unlock the promised functionality. The plugin then transmitted the key to a remote server controlled by the operator. Some plugins also exposed a strange paid tier model where the server returned another working key back to the client, suggesting the attackers may have been monetizing stolen access across users.
The same reporting cycle also highlighted two Chrome extensions that were allegedly capturing conversations from mainstream AI chat services including ChatGPT, Claude, Gemini, Copilot, Perplexity, DeepSeek, Grok and Meta AI. That matters because the real lesson is broader than JetBrains: AI workflows across IDEs and browsers are now a viable collection surface for secrets, prompts, models used and account metadata.
Immediate response priorities for engineering and security teams
1) Identify whether any affected plugins were installed
Start with inventory, not assumptions. Review JetBrains plugin deployments on managed engineering endpoints, check developer workstations for recently installed AI assistant plugins and compare them against the reported malicious package names and publishers. Include contractors, test machines and proof-of-concept environments, because that is often where unofficial tooling appears first.
2) Rotate exposed AI provider keys and review billing anomalies
If a developer may have entered a provider key into one of these plugins, treat that secret as compromised. Rotate it immediately, review usage history for unexplained token spend and inspect whether the same credential was reused anywhere else. AI keys are often created quickly and governed poorly, which makes them easy to forget and expensive to leak.
3) Treat IDE plugins like privileged dependencies
Many organizations already review production dependencies more closely than desktop extensions. That gap is no longer defensible. IDE plugins can read project context, influence generated code and request sensitive input directly from the user. They need allowlists, ownership and periodic review the same way browser extensions and developer packages do.
4) Expand the review to browser-based AI tooling
Because the same reporting wave also flagged Chrome extensions that intercept AI chats, teams should not stop at JetBrains. Review browser extension policies on engineering endpoints, remove unvetted AI helpers and confirm that sensitive architectural, customer or source-code discussions are not being exposed through telemetry-heavy browser add-ons.
Practical 24-hour checklist
- Check whether any reported malicious JetBrains AI plugins are present on developer endpoints.
- Rotate AI provider API keys that may have been entered into untrusted plugins.
- Review provider billing and usage logs for suspicious activity or sudden spikes.
- Remove unapproved IDE and browser extensions from engineering workstations.
- Create or tighten an allowlist policy for developer plugins and extensions.
- Brief engineering teams that AI helper tools must be treated like privileged code dependencies, not harmless productivity add-ons.
| Control area | Key question | Recommended action |
|---|---|---|
| Inventory | Which developer machines installed unreviewed AI plugins? | Audit JetBrains plugins and browser extensions across managed endpoints |
| Secrets | Were API keys entered into those tools? | Rotate keys immediately and check provider usage history |
| Endpoint trust | Do developers self-install high-privilege helpers without review? | Introduce allowlists and ownership for IDE and browser add-ons |
| Detection | Can we see suspicious plugin-driven outbound traffic or abnormal token spend? | Correlate endpoint telemetry, proxy logs and AI billing anomalies |
| Policy | Are AI development tools governed like other privileged software? | Apply the same review standard used for dependencies, agents and extensions |
Bottom line
This is not a niche IDE plugin story. It is an early warning that attacker focus is shifting toward the real operating surface of modern engineering teams: AI assistants, browser extensions and the secrets developers paste into them. If your organization is serious about secure AI adoption, plugin governance, key rotation discipline and workstation trust boundaries need to mature at the same speed as developer productivity tooling.