Skip to content
supplychainattack.orgSupply chain attack incident catalog
activecritical

15 Malicious JetBrains Plugins Stole AI API Keys from 70,000 Developers

A coordinated 8-month supply chain attack compromised 15 malicious JetBrains plugins on the official JetBrains Marketplace, stealing AI API keys from approximately 70,000 developers. The credential-stealing code exfiltrated OpenAI, DeepSeek, and SiliconFlow API keys to an attacker-controlled server in Beijing, which remained operational at the time of disclosure.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
70,000 developers; OpenAI, DeepSeek, and SiliconFlow API keys compromised
Ecosystems
Other
Attack vectors
Compromised packageMalicious maintainer
Affected entities
  • JetBrains Marketplace15 malicious AI coding assistant plugins

A coordinated supply chain attack targeted the JetBrains Marketplace by distributing 15 malicious plugins disguised as AI coding assistants. Over an 8-month campaign, these plugins were installed by approximately 70,000 developers.

The malicious plugins contained credential-stealing code designed to exfiltrate API keys for OpenAI, DeepSeek, and SiliconFlow services. The stolen credentials were sent to an attacker-controlled command-and-control server located in Beijing.

At the time of investigation and disclosure, the attacker infrastructure remained operational, indicating the attack was still active and potentially ongoing. The compromise affected a significant number of developers and their associated AI service credentials.

Indicators of compromise

Domains
  • Beijing-based attacker C2 server (specific domain not disclosed in source)

Remediation

  • Revoke all OpenAI, DeepSeek, and SiliconFlow API keys that may have been exposed
  • Audit JetBrains plugin installations and remove any suspicious or unfamiliar AI coding assistant plugins
  • Review plugin marketplace for additional malicious entries and report to JetBrains security team
  • Monitor API usage for unauthorized access or anomalous activity
  • Enable multi-factor authentication on all AI service accounts
  • Implement plugin allowlisting policies to restrict installation to verified, trusted plugins only

Sources

  1. 15 Malicious JetBrains Plugins Stole AI API Keys from 70,000 Developers · StepSecurity

Cite this entry

"15 Malicious JetBrains Plugins Stole AI API Keys from 70,000 Developers." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed June 19, 2026; last updated June 20, 2026. https://supplychainattack.org/incident/15-malicious-jetbrains-plugins-stole-ai-api-keys-from-70-000-developers-3q1kbw

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

Related incidents

  1. activecritical

    The Worm That Keeps on Digging: TeamPCP Hits @antv in Latest Wave

    TeamPCP conducted a multi-ecosystem supply chain compromise targeting the @antv package and associated development infrastructure. The attack leveraged GitHub, NPM, and VSCode to steal credentials and establish persistence mechanisms.

    TeamPCPnpmOtherAccount takeoverCompromised packageMalicious maintainer
  2. activecritical

    Malicious IoliteLabs VSCode Extensions Target Solidity Developers on Windows, macOS, and Linux with Backdoor

    Three IoliteLabs VSCode extensions (solidity-macos, solidity-windows, solidity-linux) containing obfuscated backdoors targeting Solidity and Web3 developers across Windows, macOS, and Linux. The backdoors download remote payloads and establish persistence mechanisms on infected systems.

    Container registryOtherCompromised packageMalicious maintainer
  3. activecritical

    Mastra npm Supply Chain Attack: 140+ Packages Backdoored via easy-day-js Typosquat

    On June 17, 2026, an attacker compromised the @mastra npm organization and injected easy-day-js, a typosquat of the popular dayjs library, as a dependency across 140+ packages. The malicious package contained an obfuscated postinstall dropper that downloaded and executed a second-stage payload from attacker-controlled servers before self-deleting. The affected packages had a combined weekly download count exceeding 1.1 million.

    npmCompromised packageTyposquattingMalicious maintainer
  4. containedcritical

    TeamPCP Injects Two-Stage Credential Stealer into xinference PyPI Package

    The xinference package on PyPI was compromised with a two-stage credential stealer attributed to the TeamPCP threat actor. The malicious code was injected into the package, potentially affecting users who installed compromised versions.

    TeamPCPPyPICompromised packageMalicious maintainer