JetBrains Marketplace Under Siege: AI Plugins Harvesting API Keys
Has anyone else looked into the coordinated malware campaign hitting the JetBrains Marketplace? Researchers found over 15 malicious plugins posing as AI assistants (specifically leveraging DeepSeek and other LLMs) to steal API keys. These things aren't just sitting there; they offer chat, code review, and unit test features to lure devs in. (Source: The Hacker News).
We need to tighten up our supply chain validation immediately. If you have dev workstations, I'd suggest checking for anomalous network traffic originating from the IDE or verifying plugin signatures.
Here is a quick KQL query to hunt for potential exfil traffic to non-corporate endpoints associated with these plugin IDs:
DeviceNetworkEvents
| where InitiatingProcessFileName in ("idea64.exe", "pycharm64.exe", "webstorm64.exe")
| where RemoteUrl !contains "jetbrains.com"
| where RemoteUrl !contains "your-corp-domain.com"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
On the endpoint side, you might want to audit the plugin directories. This PowerShell snippet helps flag unsigned binaries in the plugin folder, which is a common red flag for this campaign:
$pluginsPath = "$env:APPDATA\JetBrains\*\plugins"
Get-ChildItem -Path $pluginsPath -Recurse -Include *.dll, *.jar |
Get-AuthenticodeSignature |
Where-Object { $_.Status -ne 'Valid' -and $_.SignerCertificate -eq $null } |
Select-Object Path, Status, StatusMessage
The attackers are clearly capitalizing on the AI hype cycle. We saw a similar trend with malicious Chrome extensions recently. How are you all handling third-party plugin approvals? Are you moving to internal-only repos?
Solid query. I'd also add a filter for specific User-Agent strings if the plugins are using custom HTTP clients for exfil. We're currently blocking direct internet access from IDEs at the firewall level unless it's to the official update servers or our artifact repo. It's a bit draconian, but it stops this specific vector dead.
We use Artifactory as a proxy for all JetBrains plugins. We haven't whitelisted these new 'AI assistant' plugins yet, so any attempts to install them failed automatically. This incident really highlights why proxying internal dev tools is critical rather than letting them hit the public internet directly.
The social engineering aspect here is clever. Everyone wants 'Copilot' features for free. I audited a sample similar to this last week, and it just scraped environment variables for OPENAI_API_KEY and ANTHROPIC_API_KEY on startup. Standard defense is to rotate keys immediately if you suspect an installation, assuming the attacker didn't automate the usage.
Good call on the proxy. Beyond network blocking, we should audit local plugin configurations for hardcoded C2 domains often hiding in plugin.xml. You can quickly scan your config directory for unverified URLs.
Here’s a Bash command to hunt for HTTP endpoints in installed plugins:
grep -r "http" ~/.config/JetBrains/ --include="plugin.xml" | grep -v "jetbrains.com"
If you find hits, isolate that machine and rotate any exposed API keys immediately. Runtime analysis of the IDE process is also wise to catch obfuscated calls.
Excellent points on the proxy defense. For rapid triage on endpoints, I recommend scanning for recently modified JAR files in the plugin directories. This can catch unauthorized installs that might have slipped through before whitelisting was enforced.
Get-ChildItem "$env:APPDATA\JetBrains" -Recurse -Filter '*.jar' | Sort-Object LastWriteTime -Descending | Select-Object -First 10 FullName, LastWriteTime
Always cross-reference these timestamps with your deployment logs.
Since social engineering is the vector, let's use deception. Deploying honeytokens—specifically fake API keys—in your dev environment variables is an effective way to detect active compromises. If a plugin scrapes and exfils a Canary token, you get an instant alert. This complements the perimeter defenses mentioned perfectly.
You can quickly set a decoy in your shell to see if it gets picked up:
export DEEPSEEK_API_KEY="canarytoken-[your-id]"
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access