Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

JetBrains Marketplace malicious plugins exfiltrating AI provider keys

Malware Activity
First reported
Last updated
Happening score
H score 12
1 unique sources, 1 articles

Summary

Hide ▲

A JetBrains Marketplace malware operation has pushed 15 malicious plugins that pose as AI coding assistants and steal AI provider API keys from developers. The plugins send the entered keys to 39.107.60[.]51 and have been active since late October 2025, with new releases still appearing on June 10, 2026. The scale and marketplace distribution make the activity a direct risk to developer environments and paid AI accounts.

Related Happenings

Developers' AI provider API keys exfiltrated via malicious JetBrains plugins

Data Leak
H score12 First: 17.06.2026 12:10 Last: 17.06.2026 12:10 Sources 1

About this happening: Developers' **AI provider API keys** were **exfiltrated** through malicious **JetBrains Marketplace** plugins, exposing credentials from a broad user base and risking unauthorized...

Open Happening

JetBrains Marketplace malicious plugin API-key theft campaign

Campaign
H score15 First: 17.06.2026 00:54 Last: 17.06.2026 00:54 Sources 1

How related: Cybersecurity researchers have flagged a "coordinated malware campaign" on the JetBrains Marketplace that has published no less than 15 malicious plugins capable of exfiltrating artificial intelligence (AI) provider keys.

About this happening: A **coordinated malware campaign** on the **JetBrains Marketplace** is stealing developers' **AI provider API keys** through malicious plugins that pose as **AI coding assistants*...

Open Happening

Contagious Interview UNK_DeadDrop GitHub phishing campaign

Campaign
H score37 First: 15.06.2026 22:32 Last: 15.06.2026 22:32 Sources 1

About this happening: The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...

Open Happening

North Korea-aligned developer-targeting operations shift from fake interviews to recruitment phishing at scale

Threat Actor Meta
H score31 First: 15.06.2026 22:32 Last: 15.06.2026 22:32 Sources 1

About this happening: North Korea-aligned developer-targeting operations are shifting from **fake interviews** to **recruitment-themed phishing** at scale, increasing the risk of industrialized **crede...

Open Happening

JustAskJacky fake AI assistant malware campaign

Campaign
H score33 First: 04.06.2026 17:00 Last: 04.06.2026 17:00 Sources 1

About this happening: The **JustAskJacky** campaign is distributing a fake **AI assistant** that installs a **backdoor**, turning trusted-looking software into a malware delivery path. The operation us...

Open Happening

Timeline

  1. 17.06.2026 12:38 2 articles · 1d ago

    JetBrains Marketplace campaign publishes malicious AI coding assistant plugins through June 10, 2026

    Campaign Scope Update

    A coordinated JetBrains Marketplace campaign kept releasing AI-themed plugins through June 10, 2026, with at least 15 entries posing as coding assistants built on DeepSeek and other large language models. The plugins required users to enter API keys for services such as OpenAI, SiliconFlow, or DeepSeek and then exfiltrated those keys to 39.107.60[.]51 over plaintext HTTP.

    Show sources
    Open in new tab
  2. 17.06.2026 12:38 1 articles · 1d ago

    Researchers flag JetBrains Marketplace plugins stealing AI provider keys

    Initial Disclosure

    Researchers publicly flagged a coordinated malware campaign on JetBrains Marketplace that posed as AI coding assistants, used DeepSeek and other large language models as cover, and exfiltrated AI provider API keys to attacker-controlled infrastructure. Aikido Security also said the campaign had been active since late October 2025 and that two plugins had more than 25,000 downloads each.

    Show sources
    Open in new tab