Summary
Key Points:
- At least 15 malicious plugins on the JetBrains Marketplace are designed to steal AI API keys from developers, with approximately 70,000 installations reported.
- The plugins exfiltrate API keys when users click "Apply" after entering their credentials, sending them to a hardcoded server. The campaign has been active since October 2025, with new plugins emerging as recently as June 2026.
- Security teams should immediately remove any suspicious plugins from their IDEs, monitor for unauthorized API key usage, and educate developers about the risks of third-party plugins.
Technical Details: The malicious plugins transmit stolen API keys over HTTP to a server at IP address 39.107.60[.]51. The plugins masquerade as legitimate tools while secretly harvesting sensitive information.
MITRE ATT&CK Techniques:
- T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
IOCs Mentioned:
- IP Address: 39.107.60[.]51
- Plugin ID: ord.cp.code.ai.kit
Join the discussion — sign up to comment, upvote, and save articles.