What Happened

Multiple malicious plugins hosted on the JetBrains Marketplace have been discovered actively exfiltrating AI API keys from developer environments. The rogue plugins target IDE-stored credentials for major AI service providers — including OpenAI, Anthropic, and Google AI — and transmit them to attacker-controlled infrastructure.

The plugins are designed to appear legitimate, often mimicking popular developer tools or offering seemingly useful AI-assisted coding features as a lure. Once installed in JetBrains IDEs (IntelliJ IDEA, PyCharm, WebStorm, GoLand, CLion, and other JetBrains-based products), the malicious code scans the IDE configuration files, environment variables, and plugin-specific credential stores for API keys. These keys are then exfiltrated via encrypted HTTP requests to remote command-and-control (C2) servers.

The campaign demonstrates a growing trend of supply chain attacks targeting the developer tooling ecosystem — specifically the AI/ML development pipeline where high-value API keys are now a primary target for financially motivated threat actors.

Impact

• Production AI API Key Exposure: Stolen keys grant attackers direct access to paid AI services (OpenAI, Anthropic, Google AI). Attackers can abuse these keys to run large-scale inference operations, rack up substantial API bills, exfiltrate proprietary prompts and data, or use the compromised accounts for further attacks.
• Supply Chain Risk: Compromised developer environments are a gateway to the broader software supply chain. An attacker with IDE-level access could inject malicious code into projects, poison training data, tamper with CI/CD configurations, or pivot to cloud infrastructure accessible from the developer’s machine.
• Data Exfiltration: Beyond API keys, the plugins may harvest source code, internal documentation, database connection strings, and other secrets stored in IDE settings or project files.
• Reputational Harm: Organizations whose keys are abused for malicious AI operations may face reputational damage, regulatory scrutiny, and service suspension from AI providers.

Indicators of Compromise

• Unexpected or unfamiliar plugins installed in the JetBrains IDE, particularly those claiming to offer AI or coding-assistance features without a clear publisher history.
• Unusual outbound network connections from the IDE process (jetbrains, idea, pycharm, etc.) to unfamiliar external IP addresses or domains — especially those not associated with known JetBrains or plugin vendor infrastructure.
• Sudden spikes in API usage or billing alerts from OpenAI, Anthropic, or Google AI dashboards that do not correspond to legitimate development activity.
• IDE configuration files (e.g., settings.xml, workspace.xml, plugin XML configs) containing obfuscated or encoded sections added without user action.
• Log entries showing access to credential-related files or environment variable reads by plugin-classloader paths at unusual times.
• Plugin JAR files with unexpected network permission declarations in their META-INF/plugin.xml or manifest.

Fix

1. Audit Installed Plugins Immediately: Navigate to Settings/Preferences → Plugins in every JetBrains IDE. Remove any plugins that are unrecognized, recently added without clear purpose, or from unverified/unfamiliar publishers. Pay special attention to AI-themed plugins.
2. Rotate All AI API Keys: Immediately revoke and regenerate all OpenAI, Anthropic, and Google AI API keys that may have been accessible from any development environment running JetBrains IDEs. Do this directly from the respective provider dashboards — do not wait for confirmation of compromise.
3. Verify Plugin Authenticity: Before reinstalling any plugins, verify the publisher’s identity, check download counts, review dates, and inspect the plugin’s page on the JetBrains Marketplace for red flags. Prefer plugins with verified badges and substantial community adoption.
4. Scan Developer Workstations: Run endpoint detection and response (EDR) scans on all developer machines to identify any residual artifacts or persistence mechanisms left by the malicious plugins.
5. Review API Usage Logs: Examine API usage history in provider dashboards for any unauthorized or anomalous activity during the window of potential compromise.

Recommendations

• Enforce Plugin Allow-Listing: Use organizational IDE management tools (such as JetBrains Toolbox Enterprise) to maintain an allow-list of approved plugins. Block installation of any plugin not explicitly reviewed and authorized.
• Use Environment Variable-Based Key Management: Store AI API keys in environment variables or dedicated secrets managers (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault) rather than IDE configuration files. Rotate keys frequently.
• Network Monitoring: Deploy egress filtering and DNS monitoring on developer networks to detect anomalous outbound connections from IDE processes. Consider blocking IDE processes from accessing arbitrary external hosts.
• Apply Least Privilege: Issue AI API keys with minimal required scopes and spending limits. Use separate keys for development, testing, and production — and never use production keys on development machines.
• Developer Security Training: Educate developers on the risks of installing untrusted IDE plugins and establish a formal request-and-review process for new tooling.
• Monitor JetBrains Marketplace Announcements: Stay informed on marketplace security advisories and promptly act on any plugin takedowns or compromise notifications from JetBrains.

References

• BleepingComputer — JetBrains Marketplace Malicious Plugins Stealing AI API Keys
• JetBrains Marketplace
• JetBrains — Managing Plugins Documentation