Decoding the world of cybersecurity

Malicious plugins put AI keys at risk

A JetBrains Marketplace campaign shows how developer plugins, AI assistants, and API keys can become part of the software supply chain risk surface.

Malicious plugins put AI keys at risk
Summary
  • Aikido found at least 15 JetBrains Marketplace plugins that exfiltrated AI provider API keys.
  • The plugins posed as AI coding assistants, code review tools, and developer utilities, with close to 70,000 installs reported.
  • Developer tooling now needs controls around marketplace trust, AI credentials, local environments, and extension governance.

Developers using JetBrains tools have been targeted by a malicious plugin campaign designed to steal AI provider API keys, exposing a weak control point in developer tooling and AI adoption.

Aikido Security said it found at least 15 JetBrains Marketplace plugins, published under seven vendor accounts, that shared hidden behaviour. The plugins exfiltrated AI provider API keys stored in their settings while presenting themselves as AI coding assistants, code review tools, or developer utilities.

The company’s research write-up said the plugins had together been installed close to 70,000 times. Available evidence does not yet show how many installations were inside corporate environments, whether stolen keys were used, or what downstream access followed.

The campaign sits at the intersection of software supply chain risk, AI adoption, developer identity, and marketplace governance. Organisations have spent years trying to control secrets in repositories and CI/CD pipelines, while AI coding tools have created new places where credentials are entered, stored, synced, and copied between tools.

AI API keys can carry direct financial exposure, but the larger risk is access. Depending on configuration and provider, a key may expose model usage history, prompts, embedded business context, private code snippets, customer data, development workflows, or agent integrations. In some environments, AI keys are linked to broader developer platforms, internal applications, cloud services, or automated build systems.

Plugin ecosystems complicate that control model. A developer can install a productivity tool inside an integrated development environment, grant it access to project context, paste in an API key, and continue working. Traditional application allowlisting may not treat the plugin as a procurement event, while security teams may not have full visibility into extensions installed across local developer machines.

A plugin is not a minor add-on when it runs inside the tool used to write production code. It can observe files, interact with credentials, influence code suggestions, and provide a path into private repositories or local environment variables. AI-branded plugins add another layer because they invite developers to supply paid model credentials and often promise code analysis, refactoring, or automated review.

Developer workstations need to be treated as part of the production risk surface because they hold build logic, secrets, and access paths. Organisations need an inventory of approved IDE extensions, policy for bring-your-own AI keys, controls over where AI provider credentials may be stored, and monitoring for unusual API use.

Marketplace operators also carry responsibility. Plugin review, publisher verification, behavioural analysis, and rapid takedown processes need to reflect the value of AI credentials. A plugin that steals an API key may not look like ransomware, but it can drain accounts, expose sensitive prompts, and support further compromise.

The campaign shows how AI adoption can bypass normal risk channels. A small utility installed for convenience can create exposure across model providers, software projects, and internal development processes. The control point is no longer only the source repository or cloud console; it is also the developer’s editor.

×