https://www.aikido.dev/blog/multiple-jetbrains-ide-plugins-caught-stealing-ai-keys
Security researchers have uncovered malicious plugins on the JetBrains Marketplace that have been specifically designed to steal AI API keys from developers, targeting credentials used to access services such as OpenAI, Anthropic, and other prominent AI platforms. The discovery raises serious concerns about the security of third-party plugin ecosystems that developers routinely trust and install into their integrated development environments, often without subjecting them to the same level of scrutiny applied to other software components.
The malicious plugins are understood to have been crafted to blend in with legitimate development tooling, making them difficult for unsuspecting developers to identify as threats during the installation process. Once installed within a JetBrains IDE such as IntelliJ IDEA, the plugins quietly harvest AI API keys stored within the developer’s environment, whether held in configuration files, environment variables, or IDE settings, and exfiltrate them to attacker-controlled infrastructure. Stolen AI API keys can be exploited in a number of damaging ways, including running up substantial charges on the victim’s account, accessing proprietary AI fine-tuning data, or being resold on underground marketplaces to other threat actors seeking to abuse AI services at the expense of legitimate account holders.
Developers are urged to exercise caution when installing plugins from any marketplace, carefully reviewing publisher credentials, download counts, and user reviews before proceeding. JetBrains is expected to investigate and remove the identified malicious plugins from its marketplace, though the incident reinforces broader calls for platform operators to implement more rigorous automated and manual vetting processes for third-party submissions. Developers who believe they may have installed affected plugins are strongly advised to immediately rotate any AI API keys stored within their development environments and audit their accounts for signs of unauthorised usage.