[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fSClaIWyIiscYzgNvw7WR57ZFgpzXNQFUUHxMAeSL4Eo":3},{"article":4,"iocs":54},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":31,"category":32,"article_tags":36},"88b9084e-cda2-4d9f-ba43-a6ea083948ad","Malicious JetBrains Plugins Steal AI API Keys as Chrome Extensions Capture Chatbot Chats","malicious-jetbrains-plugins-steal-ai-api-keys-as-chrome-extensions-capture-chatb-1d5a81","Cybersecurity researchers have flagged a \"coordinated malware campaign\" on the JetBrains Marketplace that has published no less than 15 malicious plugins capable of exfiltrating artificial intelligence (AI) provider keys. \"Every plugin poses as an AI coding assistant built on DeepSeek and other large language models, offering chat, commit messages, code review, bug finding, and unit tests,\"","A coordinated malware campaign has seen 15 malicious plugins published on the JetBrains Marketplace, designed to steal AI provider API keys. These plugins, disguised as AI coding assistants, exfiltrate keys for services like OpenAI and DeepSeek to attacker-controlled servers. Concurrently, two Chrome extensions were found capturing user conversations with various AI chatbots, highlighting a growing trend of targeting developer environments and AI service credentials.","Malicious JetBrains plugins and Chrome extensions are stealing AI API keys and chatbot conversations.","Malicious JetBrains Plugins Steal AI API Keys as Chrome Extensions Capture Chatbot Chats Ravie LakshmananJun 17, 2026Supply Chain Security \u002F AI Security Cybersecurity researchers have flagged a \"coordinated malware campaign\" on the JetBrains Marketplace that has published no less than 15 malicious plugins capable of exfiltrating artificial intelligence (AI) provider keys. \"Every plugin poses as an AI coding assistant built on DeepSeek and other large language models, offering chat, commit messages, code review, bug finding, and unit tests,\" Aikido Security researcher Ilyas Makari said. \"They function exactly as advertised. However, the AI provider API key you enter gets exfiltrated to a server controlled by the attacker.\" The activity is said to have been ongoing since the end of October 2025, with new plugins released as recently as June 10, 2026. Two of the plugins, CodeGPT AI Assistant and DeepSeek AI Assist, have more than 25,000 downloads each, although it's not clear if the counts are authentic or if they have been inflated to fake their popularity. The complete list of plugins is below - DeepSeek Junit Test (org.sm.yms.toolkit) DeepSeek Git Commit (com.json.simple.kit) DeepSeek FindBugs (org.bug.find.tools) DeepSeek AI Chat (org.translate.ai.simple) DeepSeek Dev AI (com.yy.test.ai.simple) DeepSeek AI Coding (com.dev.ai.toolkit) AI FindBugs (com.json.view.simple) AI Git Commitor (com.my.git.ai.kit) AI Coder Review (org.check.ai.ds) DeepSeek Coder AI (com.review.tool.code) AI Coder Assistant (org.code.assist.dev.tool) DeepSeek Code Review (com.coder.ai.dpt) CodeGPT AI Assistant (com.my.code.tools) DeepSeek AI Assist (ord.cp.code.ai.kit) Coding Simple Tool (com.dp.git.ai.tool) Aikido Security said all 15 plugins share a similar codebase, requiring users to open the settings panel and enter an API key for an AI like OpenAI, SiliconFlow, or DeepSeek in order to carry out the promised functionality. While the plugins work as they are intended to, they have been found to sneak in the ability to covertly siphon the provided API key to a remote server (\"39.107.60[.]51\") under the attacker's control over an HTTP request in plaintext format. \"The plugins also run a paid tier,\" the company said. \"After a user pays a small fee through the donation wall built into the plugin, the server sends an API key back down to the client, and the plugin starts using that key for its model calls instead of your own, which is bizarre, since no legitimate operator would simply hand a user a working and unrestricted key to a paid AI provider.\" This has raised the possibility that the operators behind the campaign are likely sharing the stolen AI provider API keys with other threat actors as part of an illicit monetization scheme, effectively turning it into a service that grants paying users access to the victim's AI provider. \"The operator collects money on one side and free credentials on the other, while the genuine key owners pay the bill,\" Makari added. The campaign is further evidence of how threat actors are increasingly targeting developer environments through the open-source ecosystem, which has become a lucrative target owing to the fact that they host source code, cloud credentials, signing keys, and API keys for paid AI services that can be resold for LLMjacking schemes. \"Treat a plugin the same way you would treat any dependency that runs with your privileges, and be cautious about pasting long-lived secrets into tools you have not vetted,\" Aikido Security said. Malicious Chrome Extensions Steal AI Conversations The development coincides with the discovery of two Google Chrome ad blocker extensions that have been caught capturing users' conversations with AI chatbots like OpenAI ChatGPT, Anthropic Claude, Google Gemini, Microsoft Copilot, Perplexity, DeepSeek, xAI Grok, and Meta AI. The data collection operation has been codenamed PromptSnatcher by researcher Jean-Marie R. The names of the extensions, which are still available on the Chrome Web Store, are as follows - Smart Adblocker (ID: iojpcjjdfhlcbgjnpngcmaojmlokmeii) - 90,000 users (Published in October 2022) Adblock for Browser (ID: jcbjcocinigpbgfpnhlpagidbmlngnnn) - 10,000 users (Published in August 2023) \"While presented as ad blockers, the extensions ship a custom-built interception engine that records non-public conversations, model usage, and account-tier metadata from every major AI platform (ChatGPT, Claude, Gemini, and others),\" the researcher said. \"The operation uses legitimate public filter lists (EasyList, IDCAC) as functional cover, providing genuine ad-blocking utility while running an undisclosed telemetry channel.\" The fact that the two extensions have been around for several years indicates that the AI-related updates were introduced in the form of software updates. These efforts are part of an attack technique called Prompt Poaching. Over the past several months, browser extensions, both legitimate and malicious, have been observed adopting this method to stealthily capture AI chats. What's unclear is whether these practices violate Google's policies for browser extensions. \"The extensions intercept full AI conversation history, model usage, and subscription tier from eight platforms, and transmit this data to operator-controlled infrastructure without notification to the user beyond a generic 'Enhanced Protection' consent string,\" the researcher noted. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  AI Security, API Key Theft, Browser Extension, Chrome, Developer Security, JetBrains, LLMjacking, Malware, Prompt Poaching, Supply Chain Security ⚡ Top Stories This Week Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Code Patch + 28 New Stories New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check","https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fmalicious-jetbrains-plugins-steal-ai.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEg2aRb82ydrk_lAXr6Yy-GmrPfQSaIuCNYTtB8dFm02DZWhJVj3bmjB3WLhWDUtiFmrGC3lHdeLfA2NtC6oHKJDAdW7ot4f3HQDyLw2Ep3q49BnOkuBWOPP2OuN1I1HNFknxPyQNpEZEnEt-8KhV2nx_HcaEiBm8Rdh7blevc3I1GjuBMLL1xOpJThFuJpE\u002Fs1600\u002Fhi.jpg","2026-06-17T09:38:46+00:00","2026-06-17T10:00:15.201016+00:00",9,[18,21,23,25,27,29],{"name":19,"type":20},"JetBrains Marketplace","product",{"name":22,"type":20},"CodeGPT AI Assistant",{"name":24,"type":20},"DeepSeek AI Assist",{"name":26,"type":20},"OpenAI ChatGPT",{"name":28,"type":20},"Anthropic Claude",{"name":30,"type":20},"Google Gemini","26b0b636-0e31-4db1-bffb-61bdf9f20a58",{"id":31,"icon":33,"name":34,"slug":35},null,"Supply Chain","supply-chain",[37,39,44,49],{"category":38},{"id":31,"icon":33,"name":34,"slug":35},{"category":40},{"id":41,"icon":33,"name":42,"slug":43},"839da5c1-3c34-47e2-9499-f7201640e3ac","AI Security","ai-security",{"category":45},{"id":46,"icon":33,"name":47,"slug":48},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":50},{"id":51,"icon":33,"name":52,"slug":53},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[55],{"type":56,"value":57,"context":58},"ip","39.107.60.51","IP address of the server controlling the attacker's plugins"]