Malicious JetBrains Marketplace plugins steal AI API keys from developers

TL;DR

At least 15 malicious plugins discovered on the JetBrains Marketplace were specifically engineered to steal AI API keys from developers, targeting credentials for services like OpenAI, Anthropic, and Google Cloud AI. The attack matters now because it exploits the trusted plugin ecosystem used by millions of developers, and the stolen keys could grant attackers direct access to expensive AI model usage or sensitive proprietary code.

What Happened

On June 16, 2026, security researchers revealed that 15 malicious plugins on the official JetBrains Marketplace had been actively stealing AI API keys from developers who installed them. The plugins, which appeared legitimate and offered real functionality like code formatting or linting, contained hidden code that exfiltrated API credentials stored in developer environments to remote servers controlled by the attackers.

Key Facts

• The 15 malicious plugins were published on the JetBrains Marketplace between January 2025 and May 2026, with some accumulating over 10,000 downloads before detection.
• The plugins specifically targeted AI API keys for services including OpenAI’s GPT models, Anthropic’s Claude, Google Cloud AI, and Amazon Bedrock — credentials developers commonly store in environment variables or IDE configurations.
• Attackers used sophisticated obfuscation techniques, embedding credential-stealing code inside legitimate plugin features such as code snippet generation, documentation helpers, and AI-assisted debugging tools.
• The malicious plugins were discovered by Aqua Security’s open-source research team, who analyzed over 2,000 JetBrains plugins and found the 15 that exhibited suspicious network behavior.
• JetBrains removed the plugins from the Marketplace within 48 hours of being notified on June 14, 2026, and issued a security advisory urging users to revoke and rotate any exposed API keys.
• At least 3 of the plugins were created by accounts that had previously published legitimate plugins, suggesting the attackers either compromised existing developer accounts or built trust over time before adding malicious updates.
• The stolen AI API keys could be used to generate AI content at the victim’s expense, with some enterprise keys potentially costing thousands of dollars per month if exploited at scale.

Breaking It Down

The attack’s sophistication lies in its targeting of AI API keys specifically — a credential type that has become increasingly valuable as developers integrate large language models into their workflows. Unlike traditional API keys for services like Stripe or GitHub, AI API keys often have no usage limits, making them ideal for attackers to resell or use for bulk AI generation. The stolen keys could be used to power AI-powered spam campaigns, generate malicious code, or even train competitor models at the victim’s cost.

The JetBrains Marketplace is a trusted distribution channel for the IntelliJ IDEA, PyCharm, WebStorm, and GoLand IDEs, which collectively serve over 30 million developers worldwide. The fact that malicious plugins existed undetected for up to 17 months highlights a fundamental weakness in the marketplace’s vetting process. JetBrains relies on automated scanning and community reporting, but sophisticated attackers can bypass these checks by packaging malware inside functional code. The Aqua Security team noted that several of the plugins had positive user reviews, suggesting the attackers actively managed their reputation to avoid suspicion.

Over 10,000 developers downloaded at least one of the 15 malicious plugins, meaning the potential blast radius includes thousands of exposed AI API keys across startups, enterprises, and individual developers.

The economic impact is difficult to quantify but potentially severe. A single stolen OpenAI API key with a $500 per month usage limit could be exploited to generate millions of tokens in a day, racking up charges before the victim notices. For enterprise developers who store keys with unlimited usage or pay-as-you-go billing, the financial exposure could reach tens of thousands of dollars before detection. Moreover, the attackers could use the keys to access proprietary code repositories, AI training data, or internal documentation that the victim’s AI tools were configured to access.

The attack also reveals a growing trend: credential theft is evolving from generic credentials to AI-specific assets. Traditional malware targets passwords, credit cards, or session tokens. But AI API keys represent a new class of high-value credentials that are often poorly managed — many developers store them in plaintext environment variables, .env files, or directly in IDE configurations. The JetBrains attack exploited this lax security culture, where developers prioritize convenience over protection.

What Comes Next

1. Credential rotation and audits – Developers who downloaded any of the 15 plugins must immediately revoke all AI API keys stored in their JetBrains environment and generate new ones. Companies should audit their cloud provider billing dashboards for unusual AI API usage spikes over the past 18 months. This process could take weeks for large organizations with hundreds of developers.

2. Marketplace security reforms – JetBrains is expected to announce enhanced plugin vetting procedures within the next 30 days, including mandatory manual code review for plugins that request network access or credential storage. The company may also implement runtime permission prompts that alert developers when a plugin attempts to access environment variables or network resources.

3. Legal and regulatory fallout – Depending on the jurisdictions affected, the attack could trigger data breach notification laws in the EU (GDPR) , California (CCPA) , or other regions. If any stolen keys were used to access customer data or proprietary code, affected companies may face regulatory fines or class-action lawsuits. The FTC may also investigate whether JetBrains misrepresented the security of its marketplace.

4. Supply chain attacks expand – This incident will likely spur industry-wide scrutiny of IDE plugin ecosystems, including Visual Studio Code, Eclipse, and Sublime Text marketplaces. Expect security researchers to publish audits of other plugin stores in the coming months, potentially uncovering similar credential-stealing campaigns.

The Bigger Picture

This attack is part of a broader trend of AI Supply Chain Attacks, where adversaries target the tools and infrastructure that developers use to build AI applications. In 2025, researchers documented attacks on Python package repositories (PyPI) and npm that delivered malware disguised as AI libraries. The JetBrains attack extends this to the IDE plugin layer, which is often overlooked in security audits because plugins are assumed to be trustworthy when obtained from official marketplaces.

Another trend is the Monetization of Stolen AI Credentials. Unlike stolen credit cards, which require complex laundering, stolen AI API keys can be used immediately to generate text, images, or code that attackers can resell on underground forums, use for phishing campaigns, or employ to train their own AI models. The rise of AI-as-a-service has created a secondary market where API keys trade for $10–$50 per key depending on the service and usage limits. This economic incentive will drive more targeted attacks against developer tools.

Finally, the incident underscores the Identity and Access Management (IAM) Gap for AI credentials. Most organizations have robust policies for managing database passwords, SSH keys, and OAuth tokens, but AI API keys often fall into a gray area — they are not considered sensitive enough for vaults or rotation policies. The JetBrains attack should force security teams to treat AI API keys with the same rigor as production database credentials, including regular rotation, usage monitoring, and least-privilege access controls.

Key Takeaways

• 15 malicious plugins: At least 15 JetBrains Marketplace plugins stole AI API keys from developers, with some accumulating over 10,000 downloads before detection.
• AI-specific targeting: Attackers focused on OpenAI, Anthropic, Google Cloud AI, and Amazon Bedrock keys — a new class of high-value credentials that are often poorly managed.
• 17-month undetected window: The plugins existed on the marketplace from January 2025 to May 2026, highlighting weaknesses in JetBrains’ automated vetting process.
• Immediate action required: Developers must revoke all exposed AI API keys, audit cloud billing for unusual usage, and treat AI credentials with the same security rigor as production database passwords.