15 JetBrains Plugins and Two Chrome Extensions Harvest AI Keys and Prompts Since October 2025
Coordinated JetBrains and Chrome campaigns have harvested AI credentials and conversation data since October 2025, converting stolen keys into a paid access service. The operation reveals an emerging supply-chain attack model that pairs IDE plugins with browser extensions to monetize LLM usage at victim expense. Standard marketplace screening and secret-handling practices have not adapted to this specific revenue loop.
Coverage has treated the incidents as isolated malware drops. The pattern instead shows deliberate positioning inside high-value developer workflows at the moment AI tooling adoption accelerated, creating repeatable supply-chain channels for credential resale that existing dependency scanners do not yet flag. Continued plugin churn and extension persistence point to low-friction iteration that defenders have not matched.
JetBrains: at least three additional malicious plugins using the same 39.107.60[.]51 endpoint will appear in Marketplace within 60 days.
Sources (3)
- [1]Aikido Security Research Blog(https://aikido.dev/blog/jetbrains-plugins-ai-keys)
- [2]The Hacker News Original Report(https://thehackernews.com/2026/06/malicious-jetbrains-plugins-steal-ai.html)
- [3]PromptSnatcher Analysis by Jean-Marie R.(https://github.com/jean-marie/promptsnatcher)