JetBrains Marketplace Ecosystem Security Update: Addressing Malicious Third-Party AI Plugins - The JetBrains Blog

IntelliJ Platform

Plugins

At JetBrains, we build tools that empower developers to create, automate, and innovate. In today’s rapidly evolving software supply chain and threat landscape, we believe responsible transparency must be the foundation of our developer ecosystem. The explosion of AI-assisted development has revolutionized the way engineering teams work, but it has also introduced new vectors for exploitation. While our Plugin Verifier has historically focused on compatibility and API-usage analysis, we are continuously evolving our Marketplace ingestion pipelines to introduce advanced security scanning capabilities that enhance the protection of our ecosystem.

Our philosophy is simple: discovering and communicating ecosystem flaws, and sharing that information openly with the developer community, is not an indication of weakness; rather, it is evidence of rigorous scrutiny and a proactive threat management program. By aggressively seeking out and dismantling malicious plugin behavior, our aim is to get ahead of threat actors to ensure our community can keep their source code and local environments secure.

To that end, today JetBrains is disclosing an AI API keys theft campaign involving 15 third-party plugins that were published on JetBrains Marketplace.