Malicious JetBrains Marketplace plugins steal AI API keys from developers

Security researchers discovered at least 15 malicious plugins on the JetBrains Marketplace designed to exfiltrate AI API keys from developers' systems. The plugins targeted users of popular JetBrains IDEs including IntelliJ IDEA, PyCharm, and WebStorm, embedding theft functionality directly into development environments where sensitive credentials are frequently stored.

The attack chain works by injecting malicious code into plugin initialization routines. When developers install these plugins, the code executes silently in the background, harvesting API keys for services like OpenAI, Anthropic, Google Cloud, and AWS. This approach exploits the trust developers place in the official JetBrains Marketplace, which hosts thousands of legitimate community-developed extensions.

JetBrains has removed the malicious plugins from its marketplace following disclosure. However, developers who installed these plugins before removal remain at risk. Threat actors can leverage stolen API keys to access cloud services, generate content using paid AI models, access sensitive data, or pivot into downstream systems authenticated by those credentials.

The risk extends beyond individual developers. Teams using shared API keys face compromised infrastructure. Organizations relying on AI services for internal operations risk unauthorized usage, billing fraud, and data exfiltration through stolen credentials. OpenAI, Google, and AWS all charge for API usage, making stolen keys valuable for attackers seeking free compute resources.

Developers should immediately rotate all AI API keys if they installed unfamiliar plugins recently. Review plugin installation history in your IDE settings, uninstall suspicious extensions, and monitor API usage logs for anomalous activity. JetBrains recommends installing plugins only from trusted publishers with established track records.

This incident reflects a broader supply chain risk in developer tooling. Plugin ecosystems represent attack surface that developers often overlook because they assume marketplace curation prevents malicious code. Attackers exploit this