security-incident api-key-theft jetbrains-ide plugin-vetting credential-rotation

Fifteen malicious JetBrains plugins stole API keys

Plugins masquerading as AI utilities silently harvested API keys via custom TLS disablement and unencrypted HTTP exfiltration to hardcoded C2 IPs—JetBrains remotely disabled all 15 and is hardening Marketplace ingestion rules.

Summary

If you use third-party AI plugins in JetBrains IDEs, any API keys entered before June 17, 2026 are compromised. You must revoke credentials immediately and audit provider logs for unauthorized usage, then shift to sandboxed alternatives like ACP-registered agents.

Why it matters

Implementation verdict

Replaces trust in Marketplace verification badges with mandatory manual plugin audits and credential rotation. Requires: revoke all API keys used in plugins, scan repos for exposed credentials, block C2 IP 39.107.60[.]51 at firewall level, adopt ACP protocol for future AI integrations. Act now—this is confirmed, not speculative.

Sources

1.15 third-party plugins on JetBrains Marketplace that were built to steal AI provider API keys
2.plugins silently installed a JVM-wide X509TrustManager. This step actively disabled standard unsigned and self-signed TLS warnings
3.plugin then quietly transferred the validated key string as a plaintext JSON payload via unencrypted HTTP directly to a hardcoded command-and-control (C2) IP address (39.107.60[.]51)
4.Treat any token entered into these plugins as exposed
5.While the Verified Vendor Badge confirms a publisher's profile is authentic and tied to a real legal entity or individual, it is an organizational verification. It does not serve as a 100% technical guarantee of a plugin's absolute safety or code quality

Dev Signal

Get briefs like this in your inbox — free, 3x a week.

100+ sources compressed into one 4-minute read. Ranked, cited, implementation-ready.

Read the full issue →All briefs