Multiple JetBrains IDE plugins caught stealing AI keys
10 hours ago
- #supply-chain-security
- #malware
- #api-key-theft
- Coordinated malware campaign on JetBrains Marketplace involving at least 15 IDE plugins from seven vendor accounts.
- Plugins exfiltrate AI provider API keys to attacker-controlled server (39.107.60.51) immediately upon user input.
- Plugins function as advertised AI coding assistants but include hidden theft behavior; installed ~70,000 times.
- Campaign active from October 2025 to June 2026, with fake reviews and potentially inflated download counts.
- Attackers may resell stolen API keys to paying users, creating a double-sided revenue model.
- Developer IDEs are high-value targets due to access to source code, credentials, and AI API keys.
- Aikido offers detection and protection tools, including malware scanning and Safe Chain for package interception.
- Network indicator: C2 server at 39.107.60.51; affected plugin names and IDs listed.
- Vendor accounts include CodePilot, StackSmith, CodeCrafter, CodeWeaver, JetCode, DailyCode, and ZenCoder.