JetBrains Marketplace Ecosystem Security Update: Addressing Malicious Third-Party AI Plugins

Jakub Chrzanowski

At JetBrains, we build tools that empower developers to create, automate, and innovate. In today’s rapidly evolving software supply chain and threat landscape, we believe responsible transparency must be the foundation of our developer ecosystem. The explosion of AI-assisted development has revolutionized the way engineering teams work, but it has also introduced new vectors for exploitation. While our Plugin Verifier has historically focused on compatibility and API-usage analysis, we are continuously evolving our Marketplace ingestion pipelines to introduce advanced security scanning capabilities that enhance the protection of our ecosystem.

Our philosophy is simple: discovering and communicating ecosystem flaws, and sharing that information openly with the developer community, is not an indication of weakness; rather, it is evidence of rigorous scrutiny and a proactive threat management program. By aggressively seeking out and dismantling malicious plugin behavior, our aim is to get ahead of threat actors to ensure our community can keep their source code and local environments secure.

To that end, today JetBrains is disclosing an AI API keys theft campaign involving 15 third-party plugins that were published on JetBrains Marketplace.

The incident and immediate mitigation

On June 16, 2026, our teams received security reports detailing an AI API keys theft campaign involving 15 third-party plugins hosted on JetBrains Marketplace. These plugins masqueraded as legitimate AI utilities to secretly harvest developer-configured AI provider API keys.

We took immediate action to eliminate the threat, mitigate user risk, and isolate the vectors used by these malicious actors.

•  Immediate actions taken & current status
  • Total removal: All 15 flagged plugins have been completely purged from JetBrains Marketplace and are blocked from future downloads.
  • Publisher bans: The 7 underlying publisher accounts associated with this campaign have been permanently terminated.
  • Remote kill-switch triggered: All affected plugins have been explicitly marked as broken within our backend architecture. This native mechanism remotely disables the extensions inside any user’s IDE upon the next relaunch, instantly halting any further malicious executions on local machine environments.
  • No core system compromise: Our security team has verified that no internal JetBrains source code, development environments, or core corporate infrastructure were accessed or exposed during this incident.

Technical analysis: How the malicious activity occurred

The malicious plugins operated exactly as advertised (providing text generation or unit testing utilities) to maintain low visibility. The threat actors relied on a highly specific vector to mask their exfiltration activity:

• The trap: When a developer inputted their personal AI provider key into the plugin configuration settings and clicked “Apply,” the plugin executed an unauthorized backend function.
• Evasion: To prevent local networks and IDE debuggers from flagging anomalous connections, the plugins silently installed a JVM-wide X509TrustManager. This step actively disabled standard unsigned and self-signed TLS warnings.
• Exfiltration: The plugin then quietly transferred the validated key string as a plaintext JSON payload via unencrypted HTTP directly to a hardcoded command-and-control (C2) IP address (39.107.60[.]51).

Historically, our Plugin Verifier tool was architected as a compatibility and API-usage checker rather than a dedicated data-flow or anti-malware scanner. Because the core APIs used by the plugins appeared normal in isolation, individual hardcoded endpoints and custom TLS configurations were not flagged during initial ingestion.

Hardening our vetting pipelines

Discovering and communicating these security vulnerabilities is a critical step in building a more resilient development environment. We are continuously updating our automation to ensure this specific pattern cannot bypass initial Marketplace screenings.

We are actively deploying new rule layers to our ingestion pipeline designed specifically to flag and block:

• The inclusion of unencrypted, raw non-HTTPS or raw IP endpoints inside the plugin’s source code.
• Global, unauthorized TLS weakening behavior (such as custom X509TrustManager injections).
• Automated code-review triggers for plugin handling configuration inputs resembling sensitive cloud API keys.

Required actions and step-by-step remediation

If you downloaded or interacted with any of the plugins listed below prior to June 17, 2026, please execute the following security protocols immediately:

• Verify and clean your workplace: Navigate to your IDE’s plugin manager (Settings > Plugins > Installed). While JetBrains has already disabled the 15 compromised tools remotely, manually purge any unverified AI assistants, automated code reviewers, or Git add-ons from your system.

A note on Marketplace trust: When auditing plugins, please keep in mind that while the Verified Vendor Badge confirms a publisher’s profile is authentic and tied to a real legal entity or individual, it is an organizational verification. It does not serve as a 100% technical guarantee of a plugin’s absolute safety or code quality. Always exercise standard security diligence when granting third-party tools access to your local environments. 

• Invalidate and reissue API credentials: Treat any token entered into these plugins as exposed. Access your developer consoles at OpenAI, DeepSeek, SiliconFlow, or other respective providers to permanently revoke those secrets and generate fresh keys.
• Inspect account consumption logs: Review your AI provider dashboards for anomalous activity. Look closely for sudden spikes in API spend, unrecognized queries, or access requests tying back to the malicious actor’s known IP infrastructure (39.107.60[.]51).
• Establish network-level protections: Safeguard your network perimeter by restricting all outbound traffic to the malicious command-and-control server. Corporate admins should add 39.107.60[.]51 directly to firewall rulesets or central DNS blocklists.
• Apply the principle of least privilege: When setting up future IDE integrations, utilize tightly scoped tokens rather than root keys. Restrict new API credentials to specific required models and enforce strict spending caps to contain the impact of any potential future leak.
• Scan repositories for exposed credentials: Ensure your credentials have not accidentally spilled into your source code. Run a detection audit across your active codebases to guarantee no active AI provider tokens are stored in version control.

Covered Plugins:

• DeepSeek Junit Test (org.sm.yms.toolkit)
• DeepSeek Git Commit (com.json.simple.kit)
• DeepSeek FindBugs (org.bug.find.tools)
• DeepSeek AI Chat (org.translate.ai.simple)
• DeepSeek Dev AI (com.yy.test.ai.simple)
• DeepSeek AI Coding (com.dev.ai.toolkit)
• AI FindBugs (com.json.view.simple)
• AI Git Commitor (com.my.git.ai.kit)
• AI Coder Review (org.check.ai.ds)
• DeepSeek Coder AI (com.review.tool.code)
• AI Coder Assistant (org.code.assist.dev.tool)
• DeepSeek Code Review (com.coder.ai.dpt)
• CodeGPT AI Assistant (com.my.code.tools)
• DeepSeek AI Assist (ord.cp.code.ai.kit)
• Coding Simple Tool (com.dp.git.ai.tool)

Moving Forward Safely: The ACP Protocol

While no universal, bulletproof solution exists for running external code plugins, we strongly recommend that developers migrating to AI workflows adopt the Agent Client Protocol (ACP) registry where a list of agents can be found.

Built as an open standard in partnership with Zed, the ACP protocol changes how AI tools interact with your editor. Rather than trusting traditional unsandboxed marketplace plugins with custom execution flows, tools registered via the ACP Registry communicate using structured standard inputs and outputs. The protocol standardizes communication flow between the IDE and agent, drastically reducing potential attack vectors.

We remain fully committed to transparently adapting our systems to protect the global engineering community.