AI Supply Chain Attacks: How Plugins & Extensions Steal Keys
Hoplon InfoSec
17 Jun, 2026
AI Supply Chain Attacks: How Plugins and Extensions Are Stealing Your Keys
Two separate campaigns surfaced within days of each other. One hides inside JetBrains IDE plugins that quietly forward AI API keys to an attacker-controlled server. The other hides inside Chrome ad blocker extensions that record entire conversations with ChatGPT, Claude, Gemini, and six other AI platforms. Together they show that AI supply chain attacks are no longer a future risk debated on a slide deck. They are already running inside the tools your developers and employees open every single day. This piece breaks down both campaigns, the wider pattern they belong to, and what an enterprise security team should actually do about it.
At a Glance
| Metric | Detail |
|---|---|
| Malicious JetBrains plugins found | 15, published across 7 vendor accounts |
| Reported plugin installs | Around 70,000 |
| Malicious Chrome extensions found | 2 (Smart Adblocker, Adblock for Browser) |
| Reported extension users affected | Around 90,000 |
| AI platforms targeted by PromptSnatcher | 8, including ChatGPT, Claude, Gemini, Copilot, Perplexity, DeepSeek, Grok and Meta AI |
| Rise in AI credential theft (LLMjacking) | 376 percent increase, Q4 2025 to Q1 2026 |
| Stolen API key resale price | As little as $30 on underground markets |
| Official takedown confirmed by JetBrains or Google | Not as of this writing |
A Bad Week to Trust Your Everyday Tools
Picture a developer who just found an AI coding assistant plugin for their IDE. It promises chat support, automatic commit messages, code review, and even bug hunting, all powered by DeepSeek. It looks legitimate. It has thousands of downloads. So they install it, open the settings panel, paste in their OpenAI or DeepSeek API key, and click Apply.
In that exact moment, on at least fifteen plugins published to the JetBrains Marketplace, that key was already on its way to a server the developer had never heard of. This is what AI API key theft actually looks like in practice, not a theoretical risk but a live campaign quietly running through software that otherwise works exactly as advertised.
Around the same time, in a completely different corner of the internet, an office worker installed what looked like a harmless ad blocker for Chrome. It blocked ads just fine. It also quietly read every conversation that worker had with ChatGPT, Claude, Gemini, Copilot, Perplexity, DeepSeek, Grok, and Meta AI and then shipped that data off to a remote server, packaged with the model name, the subscription tier, and a device fingerprint.
Neither of these stories is hypothetical. Both were reported within the same week, and if you have followed our recent breakdown of the actively exploited FortiSandbox vulnerabilities, this will feel like a familiar pattern aimed at a new target. The target this time isn't a firewall or a sandbox appliance. It's the AI tooling that has quietly become part of daily work for millions of developers and employees, and it's a textbook example of how AI supply chain attacks actually unfold.
The JetBrains Marketplace Plugin Campaign
Security firm Aikido Security uncovered what it called a coordinated malware campaign running across the JetBrains Marketplace, the official plugin store for IntelliJ, PyCharm, WebStorm, and other JetBrains IDEs. At least fifteen plugins, published under seven different vendor accounts, all share the same hidden trick. They genuinely work as advertised, offering AI chat, commit message generation, code review, and bug finding through DeepSeek, OpenAI, or SiliconFlow. The catch is what happens after a user enters their API key, which makes this fundamentally an IDE plugin security problem rather than a one-off bad actor slipping through the cracks.
Researcher Ilyas Makari summed up the strange honesty of the scheme when he noted, "The operator collects money on one side and free credentials on the other, while the genuine key owners pay the bill." That single line captures the whole operation. The plugins aren't broken or fake. They simply have an extra feature nobody asked for.
The campaign has been running since the end of October 2025, with new plugins still being uploaded as recently as June 10, 2026. Two of the plugins, CodeGPT AI Assistant and DeepSeek AI Assist, reportedly passed 25,000 downloads each, and combined installs across all fifteen plugins are estimated near 70,000, though download counts on any marketplace can be inflated and should be read with a healthy dose of skepticism.
Here is the full list of plugins identified in the campaign so far.
|
Plugin Name |
Plugin ID |
|
DeepSeek Junit Test |
org.sm.yms.toolkit |
|
DeepSeek Git Commit |
com.json.simple.kit |
|
DeepSeek FindBugs |
org.bug.find.tools |
|
DeepSeek AI Chat |
org.translate.ai.simple |
|
DeepSeek Dev AI |
com.yy.test.ai.simple |
|
DeepSeek AI Coding |
com.dev.ai.toolkit |
|
AI FindBugs |
com.json.view.simple |
|
AI Git Commitor |
com.my.git.ai.kit |
|
AI Coder Review |
org.check.ai.ds |
|
DeepSeek Coder AI |
com.review.tool.code |
|
AI Coder Assistant |
org.code.assist.dev.tool |
|
DeepSeek Code Review |
com.coder.ai.dpt |
|
CodeGPT AI Assistant |
com.my.code.tools |
|
DeepSeek AI Assist |
ord.cp.code.ai.kit |
|
Coding Simple Tool |
com.dp.git.ai.tool |
How the Theft Actually Works
The mechanism is almost insultingly simple. A developer opens the plugin's settings panel, pastes in an API key for OpenAI, DeepSeek, or SiliconFlow, and clicks Apply. The settings handler saves that key locally, the same way any legitimate plugin would, but it also quietly forwards a copy to a hardcoded server at 39.107.60.51 over plain HTTP, with no encryption at all. There's no malware download, no suspicious popup, no second step. The theft happens inside the exact workflow the plugin was built to support.
That's also why JetBrains' manual review process didn't catch it. Every advertised feature works. A reviewer testing chat responses, commit message generation, or code review would see exactly what the listing promised. The exfiltration logic sits quietly behind the save button, doing its damage without ever breaking the experience a reviewer would be checking. This is the same blind spot that a mature vulnerability management practice is built to close, except here the flaw isn't in the code logic. It's in the trust placed in a third-party plugin that never should have had this level of access to developer endpoints in the first place, and developer workstations deserve the same endpoint protection attention as any server on the network.
The Strange Economics Behind the Paid Tier
Several of the plugins also run a paid tier, and this is where the campaign gets clever. After a user pays a small fee through a donation wall built into the plugin, the server sends back a working API key, and the plugin starts using that key instead of the user's own. On the surface that looks like a bonus. In practice, the key being handed out is someone else's stolen credential.
The result is a two-sided business. Unpaid users hand over their own keys for free. Paying users get to use someone else's stolen key at a discount. The legitimate key owners, who have no idea any of this happened, end up footing the API bill for both groups. It's a tidy little resale operation, and it's exactly the kind of credential laundering that dark web monitoring and protection programs are built to catch before stolen keys get traded any further down the chain.
Where JetBrains Stands Right Now
As of this writing, JetBrains had not issued a public response, and at least one of the plugins, DeepSeek AI Assist, was independently confirmed to still be live and downloadable. That status can change quickly once a report like this gets attention, but it also shows how long a well-disguised plugin can sit inside a trusted marketplace before anyone notices. If your organization tracks rogue third-party tooling through any kind of takedown and disruption process, this campaign is a clear candidate for it.
PromptSnatcher: When an Ad Blocker Starts Eavesdropping
While Aikido was still working through the JetBrains campaign, a researcher tracked down a second operation hiding inside two Chrome extensions, Smart Adblocker and Adblock for Browser. Both are still listed on the Chrome Web Store at the time of writing, which makes this exactly the kind of Chrome Web Store malware story that keeps repeating. Smart Adblocker has been live since October 2022 and counts roughly 90,000 users, while Adblock for Browser launched in August 2023 with around 10,000 users.
Both extensions do block ads using legitimate public filter lists, so the core function works exactly as promised. Underneath that, they also ship a custom interception engine that records full conversation histories, the AI model being used, and even whether the account is on a paid subscription tier, pulling that data from eight major platforms, including ChatGPT, Claude, Gemini, Copilot, Perplexity, DeepSeek, Grok, and Meta AI. None of this is disclosed to the user beyond a vague consent line about "Enhanced Protection," which turns this into squarely an AI conversation privacy problem for every employee using these tools at work, not just a personal annoyance.
This isn't even the first time we've covered Chrome extensions behaving badly. Our recent piece on malicious Chrome extensions caught faking Google search traffic showed the same pattern of legitimate-looking add-ons hiding a second, undisclosed job.
The Technical Trick Behind It
Each extension reports back to its own dedicated infrastructure, with one calling a domain tied to its own branding and the other calling a separate one. Both rely on a configuration endpoint that returns a Base64 encoded ruleset and checks an origin header before responding, which limits casual probing by researchers. The cleverest part is that the operator can add new target platforms, Meta AI being one example, just by updating that remote configuration rather than pushing a new extension version, which means the addition never has to pass through a store review at all.
What finally exposed the operation was almost mundane. Analysts noticed a single Google Tag Manager ID showing up across multiple unrelated extensions, the kind of pattern that only surfaces when a team is running ongoing cyber threat intelligence work rather than waiting for a one-off complaint. There's also a compliance wrinkle worth flagging for anyone in a regulated industry. The Firefox builds of both extensions declared "data_collection_permissions: none" in their manifests while behaving identically to the Chrome versions, which is the kind of discrepancy that should worry anyone relying on store disclosures as a safety signal. Traditional antivirus tools rarely catch this kind of behavior either, since the extension is just using browser APIs it was already granted, which is precisely the gap that extended detection and response platforms exist to close.
This isn't New: The Rise of Prompt Poaching
Here's the part that often gets missed when a story like this breaks. PromptSnatcher is not an isolated incident. It's the newest entry in a pattern researchers have started calling prompt poaching, a term coined by Secure Annex founder John Tuckner to describe the broader wave of malicious browser extensions that quietly capture AI conversations. It's worth being precise about the difference here. Prompt injection manipulates what an AI model does. Prompt poaching simply steals what you already said to it.
Earlier cases make the scale of the problem clear. OX Security found two Chrome extensions impersonating a popular AI sidebar tool, together pulling in about 900,000 users while exfiltrating ChatGPT and DeepSeek conversations along with the URLs of every tab open in the browser. Koi Security separately found a VPN extension with more than six million users and a glowing 4.7-star rating that had been quietly harvesting AI conversations from eight platforms since mid-2025, after the capability was slipped in through a routine update.
There's also a more uncomfortable case worth mentioning, because it doesn't involve malware at all. A major web analytics company began collecting users' AI conversation data and only disclosed it through a Terms of Service update months later. Nothing about that was illegal. It was simply unnoticed. That's arguably the harder problem for enterprises to solve, since there's no plugin to ban and no clear villain to point to, just a policy update nobody read closely enough.
Side by Side: How These Campaigns Compare
|
JetBrains Plugin Campaign |
PromptSnatcher |
Earlier Prompt Poaching Cases |
|
|
Attack surface |
IDE plugin |
Browser extension |
Browser extension |
|
What gets stolen |
AI provider API keys |
Full AI conversations and account metadata |
AI conversations and browser tab URLs |
|
Reported scale |
Around 70,000 installs |
Around 90,000 users |
600,000 to over 6 million users depending on the case |
|
Discovered by |
Aikido Security |
Independent security researcher |
OX Security and Koi Security |
|
Status as of writing |
Live, unconfirmed removal |
Live, unconfirmed removal |
Mostly removed |
Why Attackers Want This So Badly: The LLMjacking Economy
None of this happens for fun. Stolen AI credentials feed directly into a fast-growing criminal economy known as "LLMjacking," a term Sysdig's Threat Research Team coined back in 2024 to describe attackers using stolen credentials to run their own AI workloads on someone else's account and someone else's bill. It has since escalated far beyond isolated incidents. Microsoft took legal action in January 2025 against a syndicate called Storm-2139, which had industrialized this exact practice across Azure, OpenAI, AWS Bedrock, Anthropic, Google Vertex AI, and Mistral.
The numbers behind this economy are alarming. Sysdig's 2026 research documented a 376 percent jump in credential theft targeting AI services between the last quarter of 2025 and the first quarter of 2026, even though a stolen API key can sell for as little as thirty dollars on underground markets. The math works because the daily compute cost a stolen key can rack up dwarfs that asking price many times over. A separate operation tracked in early 2026, nicknamed Operation Bizarre Bazaar, logged more than 35,000 attack sessions in just forty days, with daily costs to victims climbing past 100,000 dollars when high-end models were involved. By late January 2026, roughly 60 percent of that operation's traffic had already shifted away from simple compute theft toward reconnaissance against Model Context Protocol integrations, a strong hint about where this threat heads next.
This is the same underground economy that makes cheap, purpose-built tools like the OnyxC2 infostealer profitable in the first place. Stolen API keys, stolen passwords, and stolen session cookies all end up flowing through the same resale pipelines.
Why This is an Enterprise Governance Problem, Not Just a Developer's One
It's tempting to read both campaigns as individual mistakes. Someone pasted a key somewhere they shouldn't have. Someone installed an extension without checking it carefully. That framing misses the real lesson. These are two fronts of the same wave of AI supply chain attacks moving through enterprise tooling, and treating them as one-off user errors is exactly how the next one slips through too.
Security teams have started calling this broader problem nonhuman identity security since API keys, service accounts, and tokens now outnumber human logins inside most organizations and get tracked far less carefully. Static, long-lived credentials are a governance gap that needs protecting from more than outside attackers, since the AI agents and tools your own teams use can quietly accumulate, store, or expose those same credentials during completely normal, sanctioned work.
This is the same root cause we wrote about when we covered AI code sprawl across employee development work, unmanaged tooling, and credentials multiplying faster than any single team can track them. Plugin marketplaces and extension stores are simply the newest place that sprawl is showing up, and it's an enterprise AI governance problem long before it ever becomes a developer's individual mistake.
For any organization formalizing its approach here, this overlaps directly with frameworks like ISO certification for artificial intelligence, and it's exactly the kind of third-party risk question that surfaces in a proper gap assessment. If your AI tooling has never been through one, this campaign is a reasonable trigger to schedule it.
Spotting the Warning Signs
A few practical indicators are worth watching for directly. On the JetBrains side, that means the hardcoded address 39.107.60[.]51 and any of the fifteen plugin IDs listed above showing up in network logs or installed plugin lists. On the browser side, watch for the two extension IDs tied to Smart Adblocker and Adblock for Browser, along with any extension making outbound calls right after a tab opens an AI chat platform. If you find evidence that a key has already leaked or that conversation data already left your network, that's a job for proper digital forensic investigation rather than guesswork, since it will tell you exactly what was exposed and for how long.
What You Can Do About It
A few concrete steps make a real difference here. Developers should treat any IDE plugin asking for a long-lived API key the same way they'd treat a request for production credentials, checking vendor account history and review patterns before installing anything and rotating keys on a regular schedule regardless. Security and IT teams should maintain an actual allowlist of approved plugins and extensions, enforce it through JetBrains and Chrome enterprise policies, and keep an eye on AI provider billing dashboards for spend that doesn't match expected usage.
At the architecture level, the real fix is treating API keys as part of a proper secrets management program rather than something pasted into whatever tool asks for it nicely and moving away from static, long-lived keys wherever the provider allows it in favor of short-lived, narrowly scoped credentials instead. If a key does get compromised, that's where incident response and recovery work earns its keep, and running a proper cyber resilience assessment beforehand will tell you honestly whether your current plugin and extension governance could actually catch something like this before it spreads. Teams without a dedicated security leader to make these calls often lean on virtual CISO services to keep this kind of policy work moving without needing a full-time hire.
Frequently Asked Questions
What is LLM jacking, and how does it connect to these two campaigns? LLMjacking is the practice of using stolen AI provider credentials to run someone else's AI workloads at someone else's expense. The JetBrains plugin campaign and PromptSnatcher both feed directly into this economy, one by stealing API keys outright and the other by harvesting account and subscription details that make stolen access easier to resell.
How can I tell if a JetBrains plugin or browser extension is exfiltrating my data? Watch for unexplained outbound network activity right after entering credentials or opening an AI chat tab; check installed plugin and extension IDs against known indicators like the ones listed above; and treat any plugin that requires a long-lived API key with the same caution you'd apply to production secrets.
Are the malicious plugins and extensions still available right now? At the time this was written, several plugins tied to this JetBrains plugin malware campaign and both PromptSnatcher extensions remained live with no confirmed takedown from JetBrains or Google. Check current marketplace and store listings directly before assuming anything has been removed, since stories like this tend to move fast once they get public attention.
What's the difference between prompt poaching and prompt injection? Prompt injection manipulates what an AI model does by sneaking malicious instructions into its input. Prompt poaching doesn't touch the model at all. It simply steals the conversation you already had with it, usually through a browser extension reading the page content directly.
What should enterprises do today to reduce exposure to AI credential and conversation theft? Start with an inventory of every IDE plugin and browser extension currently in use, move away from static API keys toward short-lived scoped credentials wherever possible, and put basic spend monitoring in place on AI provider accounts so an unexpected billing spike gets caught in hours rather than at the end of the month.
The Bottom Line
Neither of these campaigns needed a zero day or a clever exploit. They needed developers and employees to trust a tool that looked completely ordinary, and both campaigns got exactly that. That's the real story here. AI tooling has quietly become part of the everyday attack surface, sitting right next to the servers and cloud accounts security teams already watch closely. Until plugin marketplaces and extension stores get meaningfully better at catching this before publication, the responsibility falls on the organizations using these tools to treat them with the same scrutiny as anything else touching sensitive data. That's precisely the gap that proper attack surface management is built to close, and it's worth checking where your own blind spots are before the next wave of AI supply chain attacks makes the news.
References
· Aikido Security coordinated malware campaign research on the JetBrains Marketplace.
· BleepingComputer, independent verification of JetBrains plugin credential theft
· The Hacker News, original combined reporting on both campaigns
· Sysdig Threat Research Team, original LLMjacking research, 2024
· Secure an annexe, prompt poaching research, and terminology
· OWASP LLM Top 10, LLM10:2025 Unbounded Consumption
· NIST AI Risk Management Framework
· JetBrains Marketplace security and plugin review documentation
Was this article helpful?
React to this post and see the live totals.
Share this :