Multiple JetBrains IDE plugins caught stealing AI keys

June 16, 2026

A clever corporate espionage campaign has been discovered operating directly inside developer environments. A coordinated cluster of at least 15 distinct JetBrains IDE plugins, spread across seven seemingly separate vendor accounts, was found to be malicious. The extensions are purpose-built to locate, extract, and exfiltrate highly sensitive AI provider API keys (such as OpenAI, Anthropic, and cloud provider tokens) that engineers paste into their IDE configurations or environment settings. This allows the attackers to hijack expensive corporate AI infrastructure and potentially access proprietary data processed by those AI models.Organizations must enforce strict endpoint application policies to block the installation of unverified, third-party IDE extensions across the entire engineering fleet. Security teams must perform an inventory of all active JetBrains plugins, immediately uninstall the identified malicious entities, and enforce a blanket revocation and rotation of all enterprise AI platform API tokens.If you need expert assistance in identifying compromised packages, securing your CI/CD pipelines, or conducting an emergency supply chain audit, contact Cyberlinx today to protect your development environment.

Table of Contents
Resource Type
Threat Intel
Category
DevSecOps
Written by
Cyberlinx Research Team
Offensive Security Research Team
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?