JetBrains IDE Plugins Compromise 70,000+ API Keys

JetBrains IDE Plugins Compromise 70,000+ API Keys

Posted on By CWS

In a significant security breach, over 70,000 API keys have been compromised due to malicious plugins on the JetBrains Marketplace. These harmful plugins, masquerading as legitimate AI-enhanced coding tools, have been downloaded extensively, primarily by developers seeking advanced features.

Malicious Plugins Disguised as AI Tools

Research by Aikido revealed that the compromised plugins were distributed through seven vendor accounts, falsely presenting themselves as helpful AI-powered developer assistants. They offered functionalities such as AI chat, code generation, and bug detection, appearing genuine while secretly extracting sensitive API keys.

These plugins, although functional, concealed their true intent. They captured users’ API keys for services like OpenAI and DeepSeek, operating covertly behind a facade of helpfulness. This stealthy approach allowed the malware to proliferate undetected.

Technical Insights into the Breach

Each identified plugin shared a similar codebase, slightly modified to evade detection. Upon entering API keys, developers unknowingly triggered the theft mechanism. The captured keys were sent to a command-and-control server through unencrypted HTTP requests, exposing them to further interception risks.

The plugins even offered a paid tier, complicating the threat landscape. Post-payment, users received new API keys controlled by attackers, suggesting a possible resale operation of stolen credentials. This dual strategy enabled attackers to profit from both stolen keys and subscription fees.

Implications and Recommended Actions

Active since October 2025, the campaign continues to evolve, with new malicious plugins emerging as recently as June 2026. The true scope remains uncertain due to potential manipulation of download statistics and fake positive reviews.

The incident underscores the vulnerability of Integrated Development Environments (IDEs) to supply chain attacks. These environments harbor critical information like source code and API keys, making them lucrative targets. Despite JetBrains’ security measures, hidden malicious functions can escape detection.

Future Outlook and Security Recommendations

Developers are urged to uninstall affected plugins and revoke compromised API keys immediately. Regular credential rotation and monitoring for unusual API activity are crucial. Experts advise treating IDE plugins as high-risk components and only engaging with trusted sources.

In response to this growing threat, organizations should adopt endpoint monitoring solutions and enhance software supply chain security protocols. This breach highlights the escalating risk of developer-targeted attacks and the necessity for increased vigilance when incorporating third-party tools into development workflows.

Cyber Security News Tags:, , , , , , , , , , , , , ,

Related Posts

F5 BIG-IP Exploit Enables Network Intrusion via SSH F5 BIG-IP Exploit Enables Network Intrusion via SSH Cyber Security News
93+ Billion Stolen Users’ Cookies Flooded by Hackers on the Dark Web 93+ Billion Stolen Users’ Cookies Flooded by Hackers on the Dark Web Cyber Security News
Phorpiex Botnet’s Evolving Threats: Ransomware and More Phorpiex Botnet’s Evolving Threats: Ransomware and More Cyber Security News
CISA Warns of Trend Micro Apex One OS Command Injection Vulnerability Exploited in Attacks CISA Warns of Trend Micro Apex One OS Command Injection Vulnerability Exploited in Attacks Cyber Security News
M-Files Vulnerability Let Attacker Capture Session Tokens of Other Active Users M-Files Vulnerability Let Attacker Capture Session Tokens of Other Active Users Cyber Security News
Top Log Monitoring Tools to Watch in 2026 Top Log Monitoring Tools to Watch in 2026 Cyber Security News