Seventy thousand installations. That is the scale at which at least 15 malicious plugins spread across the JetBrains Marketplace before researchers documented the campaign, according to BleepingComputer's June 2026 reporting. The plugins were not obvious traps. They presented as the kind of tools a developer reaching for AI-powered productivity would reasonably install: coding assistants, code-review utilities, Git helpers. The lesson here is not simply that bad things exist in software ecosystems. It is that the workflow developers use to accelerate AI-powered work is structurally identical to the workflow that exposes their credentials, and understanding that structure is what lets you build more carefully. ## How the Exfiltration Mechanism Worked Aikido Security identified the campaign and documented its mechanics in detail. The malicious plugins contained logic that triggered on a single, specific user action: clicking "Apply" after entering AI API credentials in the plugin's settings dialog. At that precise moment, the key was transmitted over HTTP to a server at IP address 39.107.60[.]51, hardcoded inside the plugin. According to SOC Defenders' summary of the BleepingComputer investigation, this design was not ambiguous; the exfiltration targeted the exact instant a developer would reasonably assume their credentials were being saved locally to their IDE configuration. The campaign had been active since October 2025, with new plugins continuing to appear as recently as June 2026, spread across approximately seven vendor accounts on the marketplace. Using multiple accounts meant that removing individual plugins did not neutralize the operation, since the same actors could republish under a different account name. ## The Supply-Chain Angle Builders Need to Understand The instructive part of this campaign is not that malicious software exists; it is where these plugins operated. IDE plugin marketplaces are trusted infrastructure. Developers extend implicit trust to marketplace listings in a way they would not extend to a random download link, and that trust is what the campaign relied on. Knostic's analysis of IDE extension security frames this directly: IDE extensions occupy a privileged position in the development environment, with access to configuration files, credentials, and network egress that most other software categories would not receive without explicit permission. The same plugin architecture that makes AI coding assistants genuinely useful, deep integration with project files and settings, is what made these malicious listings dangerous. This is a structural observation, not a reason to avoid tooling; it is a reason to apply the same scrutiny to a marketplace listing that you would apply to a dependency in your package manifest. The JetBrains incident did not occur in isolation. The Hacker News reported in January 2026 on malicious VS Code AI extensions that had accumulated 1.5 million installs and were stealing developer source code. Netwrix published analysis in May 2026 noting that AI desktop assistants and coding tools present credential storage risks that are distinct from traditional credential hygiene problems, because the credentials involved (AI provider API keys) carry direct financial exposure and can be used to exfiltrate data from the AI provider's infrastructure rather than just the developer's local environment. ## What Builders Can Do Right Now The practical obligations here are straightforward, even if the compliance posture around them is still forming. SOC Defenders' summary of the investigation identifies three immediate actions: remove any suspicious plugins from your IDE environment, monitor for unauthorized API key usage against your AI provider accounts, and treat third-party plugin installation as a supply-chain decision rather than a convenience decision. That third point is the durable one. Auditing which plugins have access to credential entry points in your IDE, checking publisher account histories, and preferring plugins from vendors with verifiable organizational identities are not exotic security measures; they are the same due-diligence steps that software teams already apply to open-source dependencies. For teams building on AI APIs professionally, the credential-management implication is worth stating plainly. An API key entered into a plugin's settings dialog and exfiltrated over HTTP is a key that your AI provider has no way to distinguish from legitimate use. Rotating keys after any plugin audit, scoping keys to the minimum permissions required, and using environment variables or secrets managers rather than IDE settings dialogs wherever the tooling supports it reduces the blast radius of any future exposure. None of this requires waiting for a marketplace to improve its vetting process; these are controls a builder can implement today. The JetBrains case will not be the last campaign of this type. As AI API credentials become more financially and operationally valuable, the developer tooling ecosystem becomes a more attractive target. The builders who treat their IDE extension list with the same seriousness they bring to their dependency graph are the ones who will navigate this environment with the least disruption. Watch for JetBrains' own fixed security issues documentation, which is a useful ongoing reference for marketplace-related disclosures, and for further reporting from Aikido Security, which has been among the more precise sources on this class of supply-chain risk. ## Sources - Malicious JetBrains Marketplace plugins steal AI API keys from developers | SOC Defenders

Sources