Malicious JetBrains Plugins Steal AI API Keys as Chrome Extensions Capture Chatbot Chats

Researchers uncovered a coordinated malware campaign targeting JetBrains developers through 15 malicious plugins on the official JetBrains Marketplace. The plugins masquerade as AI coding assistants powered by DeepSeek and other large language models, offering features like chat, commit message generation, code review, bug detection, and unit test creation.

The threat actors designed these plugins to steal API keys for AI services. When developers install a seemingly legitimate tool to enhance their workflow, the malicious code executes in the background and harvests credentials. This theft exposes access to paid AI services, enabling attackers to impersonate victims and incur significant costs on their accounts.

The campaign demonstrates attackers' willingness to abuse trusted development platforms to reach their target audience. JetBrains' plugin marketplace carries inherent trust because the platform polices submissions. Developers installing extensions assume baseline vetting has occurred. Malicious actors exploit this trust by creating convincing facades around stolen LLM functionality or by adding malicious code to otherwise functional tools.

The scope extends beyond just API key theft. Researchers also identified malicious Chrome extensions that capture chatbot conversations. These browser-based threats intercept interactions with ChatGPT, Claude, and similar platforms, collecting sensitive information from user queries and responses. Chat logs often contain proprietary business logic, customer data, or other confidential details that organizations consider high-value targets.

For organizations, this campaign poses dual risks. Developers unknowingly compromise AI service credentials, creating unauthorized access and billing fraud. Simultaneously, Chrome extension attacks compromise the conversations themselves, leaking intellectual property through captured chats.

Mitigation requires immediate action. Organizations should audit JetBrains plugin installations across their development teams and revoke any suspicious API keys. Security teams must review Chrome extension permissions in managed environments and restrict installation of untrusted extensions. Developers