Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

JetBrains Marketplace malicious plugin API-key theft campaign

Campaign
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

A coordinated malware campaign on the JetBrains Marketplace is stealing developers' AI provider API keys through malicious plugins, creating immediate credential-theft and account-abuse risk. The operation spans at least 15 plugins published under seven vendor accounts and has been installed close to 70,000 times. The plugins first appeared in October 2025 and continued to be published as recently as June 10, 2026. One analyzed plugin remained available for download, leaving the theft path active.

Related Happenings

GlassWorm malware abuses compromised OpenVSX extensions to steal credentials from macOS systems

Malware Activity
H score34 First: 03.02.2026 00:04 Last: 03.02.2026 00:04 Sources 1

About this happening: **GlassWorm** is a malware campaign that now also fuels **ForceMemo**, a **supply-chain attack** that steals **GitHub tokens** and force-pushes malicious code into **Python reposi...

Open Happening

Developers' source code exposed through malicious VS Code extensions

Data Leak
H score23 First: 26.01.2026 17:43 Last: 26.01.2026 17:43 Sources 1

About this happening: **Malicious VS Code extensions** have been found **exfiltrating developers' source code** and workspace changes to **China-based servers**, exposing sensitive code across **1.5 mi...

Open Happening

GlassWorm campaign returns in repeated waves across extension marketplaces

Campaign
H score40 First: 01.01.2026 17:18 Last: 01.01.2026 17:18 Sources 1

About this happening: **GlassWorm** is an ongoing **supply-chain attack** targeting developers through the **OpenVSX** and **Microsoft Visual Studio Marketplace** extension ecosystems. In the latest co...

Latest development: 17.03.2026 23:42

GlassWorm renewed its supply-chain campaign with a coordinated wave that compromised 433 components across GitHub, npm, and VSCode/OpenVSX this month, including 200 GitHub Python repositories, 151 GitHub JS/TS repositories, 72 VSCode/OpenVSX extensions, and 10 npm packages. Attackers compromised GitHub accounts to force-push malicious commits, then published obfuscated packages and extensions that queried a Solana blockchain C2 channel every five seconds and delivered a Node.js-based JavaScript infostealer that targets cryptocurrency wallet data, credentials, access tokens, SSH keys, and developer environment data.

Open Happening

ShadyPanda browser-extension campaign

Campaign
H score40 First: 01.12.2025 17:01 Last: 01.12.2025 17:01 Sources 1

About this happening: The **ShadyPanda** browser-extension campaign remains active on **Microsoft Edge Add-ons**, where it has reached **over 4.3 million installs** and is still delivering malicious co...

Open Happening

Timeline

  1. 17.06.2026 00:54 2 articles · 1h ago

    Malicious JetBrains Marketplace plugins steal AI API keys

    Initial Disclosure

    Aikido Security detected a coordinated malware campaign on the JetBrains Marketplace in which at least 15 IDE plugins under seven vendor accounts secretly exfiltrated developers' AI provider API keys from plugin settings to a hardcoded server at 39.107.60[.]51 over HTTP. The plugins posed as AI coding assistants, code-review tools, and Git utilities powered by OpenAI, DeepSeek, and SiliconFlow, and BleepingComputer independently confirmed that the latest DeepSeek AI Assist plugin still contained the credential theft code while it remained available for download.

    Show sources
    Open in new tab