Malicious JetBrains Plugins Steal AI API Keys: Supply Chain Risks

Overview of the JetBrains Marketplace Campaign

Security researchers have identified a coordinated campaign involving at least 15 malicious plugins hosted on the official JetBrains Marketplace. These extensions, which mimic legitimate AI development tools, were specifically designed to exfiltrate sensitive API keys for popular Artificial Intelligence services, including OpenAI, Anthropic, Google Gemini, and Azure OpenAI. According to BleepingComputer, the discovery by Checkmarx highlights a sophisticated Supply Chain Attack targeting the growing ecosystem of AI-assisted software development.

The malicious plugins, such as “GPT-Cleaner,” “ChatGPT-Assistant,” and “AI-Code-Reviewer,” were downloaded thousands of times before being removed from the marketplace. By appearing as helpful utilities, the attackers bypassed initial scrutiny and successfully targeted the local environments of developers who frequently manage high-value credentials within their IDEs.

Technical Analysis of API Key Exfiltration

Once installed, these plugins perform automated scans of the local file system and the IDE’s internal configuration files. The malware specifically looks for environment variables, .env files, and configuration directories associated with AI service providers. The primary TTP observed involves the use of simple string matching to locate patterns like sk- (OpenAI) or org- identifiers.

After harvesting the credentials, the plugins transmit the data to an attacker-controlled C2 server. In several instances, the researchers noted that the plugins communicated with domains designed to appear legitimate, such as api.openai-stats.com. This technique of using lookalike domains is a common method for evading detection by standard network monitoring tools and EDR solutions that may not flag traffic to pseudo-legitimate endpoints.

How to Detect Malicious JetBrains Plugins and Compromised Keys

Defenders and SOC analysts must look for specific IoC patterns within developer workstations. Effective detection requires monitoring for unusual outbound network requests from the IDE process (e.g., idea64.exe or pycharm64.exe) to unverified external domains. Furthermore, reviewing the plugin installation logs located in the JetBrains configuration directory is a necessary step for how to detect malicious JetBrains plugins that may have been active in the environment.

Another indicator of compromise is the presence of unauthorized API usage logs within the AI service provider’s dashboard. If an organization observes requests originating from unexpected IP addresses or geographic regions, it likely indicates that the API key has been compromised and exfiltrated via a malicious extension.

Mitigation and Long-term Security Strategy

The primary JetBrains Marketplace malicious plugin remediation involves the immediate revocation and rotation of all API keys that were present on a developer’s machine at the time a malicious plugin was installed. Simply deleting the plugin is insufficient, as the credentials have likely already been harvested and stored by the threat actor.

To prevent future incidents, organizations should consider the following actions:

• Plugin Whitelisting: Implement a strict policy for IDE extensions, allowing only verified and internally approved plugins from the marketplace.
• Credential Management: Use secret management tools or environment variable managers that prevent plaintext keys from residing in project directories or .env files.
• Egress Filtering: Restrict developer environments from communicating with unknown external domains, enforcing proxy-based inspection for all IDE traffic.
• Zero Trust for APIs: Apply Zero Trust principles by limiting the permissions of API keys to the minimum necessary scope and using short-lived tokens where possible.

As threat actors continue to target the development pipeline, the security of third-party marketplaces remains a critical concern for modern software engineering teams.