Malicious JetBrains Plugins Steal AI API Keys as Chrome Extensions Capture Chatbot Chats

Cybersecurity researchers have uncovered a coordinated malware campaign targeting software developers through the JetBrains Marketplace. The campaign published at least 15 malicious plugins posing as AI coding assistants built on DeepSeek and other large language models, with the goal of silently exfiltrating AI provider API keys and developer credentials from infected machines. In a parallel campaign, malicious Chrome extensions were found capturing chatbot conversation history from popular AI platforms.

The JetBrains Marketplace Campaign

The malicious plugins were designed to appear as legitimate productivity tools — specifically AI-powered code completion and assistant plugins that have surged in popularity as developers integrate LLMs into their workflows. Each plugin:

• Claimed to be powered by DeepSeek, a Chinese AI model that gained massive adoption in early 2026 following its open-weight release
• Functioned as advertised — the plugins did perform rudimentary AI-assist tasks to avoid suspicion
• Harvested AI API keys from the developer's IDE environment, including keys for OpenAI, Anthropic Claude, Google Gemini, AWS Bedrock, and Azure OpenAI Services
• Exfiltrated tokens to attacker-controlled infrastructure disguised as telemetry endpoints

The JetBrains Marketplace, which serves users of IntelliJ IDEA, PyCharm, GoLand, WebStorm, and other JetBrains IDEs, is a high-value target because developers frequently store credentials and API keys in their IDE configuration — sometimes directly in environment variables or .env files accessible to plugins.

Chrome Extensions: Capturing AI Conversations

In a related but distinct campaign, researchers identified malicious Chrome browser extensions that targeted AI chatbot platforms including ChatGPT, Claude.ai, Gemini, and Copilot. These extensions:

• Injected content scripts into AI chat interfaces to capture conversation history
• Monitored clipboard activity for API keys and tokens being copied by users
• Exfiltrated captured data including session cookies that could be used for account hijacking

The extensions were distributed through the Chrome Web Store using names similar to legitimate AI productivity tools, using typosquatting and keyword stuffing to appear in search results.

Why Developers Are a Prime Target

The campaign follows a well-established pattern of attackers pivoting toward developer-specific attack surfaces:

• Developers hold the keys to everything — API keys for cloud providers, AI services, CI/CD pipelines, and production databases
• IDE plugins run with full user-level access and can read any file the user has access to, including .env files, SSH keys, and credential stores
• AI tool adoption has created a new attack surface — as developers rush to integrate AI assistants, they grant broad permissions to plugins without thorough vetting

The theft of AI API keys in particular represents a new and lucrative criminal business. Stolen keys can be:

• Sold on underground marketplaces for use in generating AI content at the key owner's expense
• Used to run large-scale phishing campaigns powered by the victim's LLM quota
• Leveraged to exfiltrate sensitive data from AI-connected enterprise systems

Affected Plugins and Removal Status

JetBrains has been notified of the malicious plugins and has begun the removal process from the Marketplace. As of publication, some plugins may still be available for download. The malicious plugins were identified under the following general characteristics:

• Published by newly registered or low-reputation vendor accounts
• Requested broad file system and network access in their plugin manifests
• Had inflated review scores inconsistent with their user counts

Specific plugin names and hashes have been published in the original research advisory.

Indicators of Compromise

Developers who have installed AI coding assistant plugins from unverified vendors should look for:

• Unexpected outbound network connections from their IDE process to unfamiliar domains
• Unusual API quota consumption on AI provider dashboards — sign that keys may be in use elsewhere
• Processes making DNS requests to domains with random-looking hostnames from IDE sandbox processes
• Modified or newly created files in .config, .local, or home directory dotfiles that store credentials

Recommended Actions for Developers

1. Audit installed JetBrains plugins immediately — Remove any AI assistant plugins installed in the past 90 days that are not from verified, well-known publishers (JetBrains official, established vendors).
2. Rotate all AI API keys — Revoke and reissue keys for OpenAI, Anthropic, Google, AWS, and any other AI provider you use from your development environment.
3. Review browser extension permissions — Check installed Chrome extensions for those with access to all sites or clipboard permissions that are not from reputable sources.
4. Enable API key usage alerts — Most AI providers offer usage alerts; enable notifications for any consumption above your typical threshold.
5. Use secrets management — Store API keys in a dedicated secrets manager (HashiCorp Vault, AWS Secrets Manager, 1Password for developers) rather than in environment files or IDE configuration.

JetBrains Marketplace Security

JetBrains has indicated it is reviewing its plugin review process to better detect malicious submissions. The company plans to introduce enhanced code scanning and human review for plugins requesting sensitive permissions. Developers are encouraged to report suspicious plugins through JetBrains' security disclosure channel.

Source: The Hacker News. Developers should treat all third-party IDE plugins and browser extensions as potential attack vectors and apply least-privilege principles to their developer toolchain.