Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Developers' AI provider API keys exfiltrated via malicious JetBrains plugins

Data Leak
First reported
Last updated
Happening score
H score 12
1 unique sources, 1 articles

Summary

Hide ▲

Developers' AI provider API keys were exfiltrated through malicious JetBrains Marketplace plugins, exposing credentials from a broad user base and risking unauthorized access to paid AI accounts. At least 15 plugins were tied to the same operation and had been installed around 70,000 times. The plugins dated back to October 2025, with the newest releases appearing in June 2026.

Related Happenings

JetBrains Marketplace malicious plugins exfiltrating AI provider keys

Malware Activity
H score12 First: 17.06.2026 12:38 Last: 17.06.2026 12:38 Sources 1

About this happening: A **JetBrains Marketplace** malware operation has pushed **15 malicious plugins** that pose as AI coding assistants and steal **AI provider API keys** from developers. The plugins...

Open Happening

JetBrains Marketplace malicious plugin API-key theft campaign

Campaign
H score15 First: 17.06.2026 00:54 Last: 17.06.2026 00:54 Sources 1

How related: Security researchers have uncovered a coordinated campaign designed to steal developers’ AI-related API keys via malicious plugins.

About this happening: A **coordinated malware campaign** on the **JetBrains Marketplace** is stealing developers' **AI provider API keys** through malicious plugins that pose as **AI coding assistants*...

Open Happening

Shai-Hulud worm clone activity on NPM

Malware Activity
H score33 First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

GlassWorm v2 cloned VS Code extension loaders

Malware Activity
H score22 First: 27.04.2026 14:23 Last: 27.04.2026 14:23 Sources 1

About this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...

Open Happening

TeamPCP supply-chain credential-exploitation campaign

Campaign
H score50 First: 31.03.2026 15:15 Last: 31.03.2026 15:15 Sources 1

About this happening: The **TeamPCP** campaign now includes a confirmed **GitHub** compromise tied to a poisoned **Nx Console VS Code extension**. GitHub said the breach of its internal repositories ca...

Latest development: 12.05.2026 01:03

TeamPCP compromised the Checkmarx Jenkins AST plugin by publishing a rogue version to repo.jenkins-ci.org on May 9, 2026, outside the official release pipeline. The malicious upload was tied to access to Checkmarx GitHub repositories and was used to deliver credential-stealing malware and malicious code to the affected organization.

Open Happening

Timeline

  1. 17.06.2026 12:10 2 articles · 1h ago

    Malicious JetBrains Marketplace plugins steal developers’ AI API keys

    Initial Disclosure

    Aikido Security found at least 15 JetBrains Marketplace IDE plugins that posed as AI coding assistants and exfiltrated API keys entered for providers such as OpenAI, SiliconFlow, or DeepSeek; the plugins had been installed around 70,000 times and were dated from October 2025 to June 2026.

    Show sources
    Open in new tab