What's Happening?
Aikido Security has uncovered a coordinated malware campaign involving at least 15 malicious plugins on the JetBrains Marketplace. These plugins, which function as AI coding assistants and code-review tools, are designed to steal AI API keys from developers.
The plugins, published under seven vendor accounts, have been installed nearly 70,000 times since their initial release in October 2025. The theft occurs when users enter their API keys into the plugin settings, which are then transmitted to a hardcoded server. Aikido also discovered that the plugins offer a paid tier, where users receive an API key from the server after paying a fee, raising suspicions about the legitimacy of the operation.
Why It's Important?
The discovery of these malicious plugins highlights significant security vulnerabilities within the JetBrains Marketplace, a popular platform for developers. The theft of AI API keys can lead to unauthorized access to AI services, potentially compromising sensitive data and intellectual property. This incident underscores the need for enhanced security measures and scrutiny of third-party plugins to protect developers and their projects. The widespread installation of these plugins indicates a substantial risk to the developer community, emphasizing the importance of vigilance and proactive security practices.
What's Next?
JetBrains has yet to respond to inquiries regarding the malicious plugins, leaving the developer community in anticipation of potential actions to address the security breach. Developers are advised to review their installed plugins and remove any suspicious ones. Security experts may push for stricter vetting processes for plugins on the marketplace to prevent future incidents. The situation may prompt discussions on improving security protocols and collaboration between platform providers and security researchers to safeguard against similar threats.
