All Briefings | Red Team Scenarios
June 8, 2026
Red Team Scenarios

Your IDE Marketplace Is Stealing Your AI Keys

This Red Team briefing analyzes a real disclosure published this week. The scenario framing is real; the policy recommendations are mine.

What You Will Decide
Role
CISO at a DIB shop using AI coding agents in production
Window
Q3 procurement refresh window
Tradeoff
Marketplace operator attestation requirement vs. per-developer credential broker rollout
Widget
None yet — companion widget pending

Domain: Supply Chain / Developer Credentials / AI Infrastructure

Situation Briefing

Aikido Security disclosed fifteen JetBrains plugins this week that have been silently shipping developer-entered AI API keys to attacker servers since October. The mitigation isn't a model update. It's that we keep treating IDE marketplaces like app stores when they're actually credential pipelines.

The disclosure landed on June 5, 2026 via Bleeping Computer. The numbers: fifteen plugins, seven vendor accounts, roughly seventy thousand combined installs across the JetBrains Marketplace, exfiltration active since October 2025, and at least two new variants still publishing as of June 10. The two highest-installed offenders advertise themselves as AI assistants: DeepSeek AI Assist and CodeGPT AI Assistant. The thing they were stealing was not source code. It was the AI API key the developer typed into the plugin's settings dialog to make the plugin work.

The exfiltration is plaintext HTTP. The plugins POST the captured key, in clear text, to attacker-controlled endpoints. The exfiltration is the second harvest; the wire is the first.

The targets were keys for OpenAI, DeepSeek, and SiliconFlow. That is deliberate, not opportunistic. AI API keys behave differently from a GitHub token or AWS access key: issued by labs with limited downstream attribution, rate-limited by the lab's billing rather than the developer's IAM, almost never scoped to a single project, and rotated less often than any other production secret. A leaked key buys an attacker billable inference credits on the victim's account, often six figures of monthly burn before anomaly detection trips.

The plugins are not subtle once you look. Broad IDE permissions, no signing pedigree, domains registered in the last eight months. They got installed seventy thousand times anyway because the marketplace surfaced them under the same install button as the legitimate AI tooling developers were trying to install. A developer searching "DeepSeek" got DeepSeek AI Assist. A developer searching "CodeGPT" got CodeGPT AI Assistant. The marketplace did not distinguish the trademarked product from the impersonator using the trademark as a name.

The parallel data point this week is the Claude Code GitHub Action vulnerability RyotaK at Flatt Security disclosed on June 1 and Microsoft Security wrote up on June 5. Different failure class (a crafted GitHub issue pivoting the action into elevated privileges) but the same family: agent infrastructure trusting metadata from a marketplace-style channel that was not adversarially curated. Next Monday's synthesis piece covers that one. This briefing is about the IDE marketplace, because the credential pipeline is the doctrinally orphaned surface.

The orphan-ness is the news. The Trump June 2, 2026 AI infrastructure executive order, signed three days before the Aikido disclosure, names model weights, training data, frontier compute, and adversary access. The EO does not contain the word "marketplace." It does not name the IDE channel. It assigns no agency to the developer-credential surface actively being looted.

The Mechanism

A marketplace is not an app store. The two get treated as the same category because the install button looks the same. The mechanics underneath are different in ways that decide who owns the harm.

An app store reviews binaries before distribution. Apple and Google run automated and human review on every submission, gate the install surface behind it, and revoke binaries server-side. Imperfect but real, because consumer-side trust collapse is the only thing that dethrones an app store.

An IDE marketplace does not. JetBrains, Microsoft's VS Code marketplace, and Cursor's plugin channel each rely on self-attestation, shallow automated scanning, and post-hoc takedown after a third-party researcher flags a problem. The marketplaces compete on plugin count and onboarding speed. A high-friction review is, in product terms, a feature regression. The same pattern almost certainly exists on the VS Code marketplace.

The developer's threat model assumes the marketplace did the review. Developers install plugins the way they install standard library functions. There is a publisher, a search rank, an install count, and the marketplace appears to stand behind the distribution. When a plugin asks for the developer's OpenAI key, the developer types it in because the venue is trusted. The trust is rational because the marketplace's presentation invites it; the trust is misplaced because the marketplace was not actually validating.

The AI labs cannot patch this from their side. An OpenAI key in a plugin's settings dialog is a credential the lab issued, captured by third-party software the lab has no relationship with. The lab can rate-limit when anomaly detection trips and build downstream telemetry. It cannot prevent the capture, which happens on the developer's machine through software installed from a marketplace the lab does not run. The vendor-of-record for safe handling is the marketplace operator.

The developer's only durable mitigation is rotation and scope. Rotate any key that touched a JetBrains AI assistant plugin since October. Scope replacements to single projects where the lab supports it. Move to short-lived OAuth where possible. None of this is habit. It should be. The labs that ship the strongest scoping primitives become the de facto safer choice in the next twelve months.

Decision Pressure

The mitigation calendar is collapsed because the campaign is active. Three audiences owe action on three different clocks.

Marketplace operators owe a posture this quarter. JetBrains will produce a takedown and an audit pass by end of June. Necessary and insufficient. The doctrine the company picks for the next twelve months is the news. Three options. Keep self-attestation and run a faster takedown loop. Tier the marketplace so credential-handling plugins go through a heavier review track. Refuse to host plugins that capture third-party API keys at all, and push the AI tooling category into a separate channel. Microsoft and Cursor decisions are due immediately afterward, because whatever JetBrains does sets the market floor.

DIB primes owe a rotation order this week. Every DIB contractor with developers on JetBrains products needs the list of fifteen plugins, a query against endpoint-management telemetry for who installed them, and a rotation order for any AI API keys those developers entered. The Anthropic, OpenAI, and Google enterprise admins at those primes need a forced-rotation drill against keys issued from the enterprise console. Fire-drill, not quarterly hygiene. Eight months of plaintext-HTTP exfiltration is enough time for the credential to have been resold twice.

CISA owes a public advisory and a marketplace-channel ownership claim by end of June. The Trump EO did not name CISA as the marketplace owner. CISA can take the surface anyway. The advisory should be specific about which plugins, which labs' keys to rotate, and which marketplace-operator obligations belong in the next supply-chain executive order. The harder ask is on JetBrains, Microsoft, and Cursor: a written posture on tiered review for credential-handling plugins, with a deadline. The deadline is what makes the posture a real ask instead of a press response.

Congressional oversight is the slowest of the three. The House Homeland Security and Senate Intelligence committees have jurisdiction. Neither has marked up developer-credential supply chain legislation since 2024. The Aikido disclosure produces a hearing inside three weeks and a letter inside one. The thing to ask for is a written description from JetBrains, Microsoft, and Cursor of what their review process actually does, with examples of plugins they have rejected and the criteria used. The companies will resist because the answer is not flattering. The resistance is the data point.

Complicating Factors

The plaintext HTTP is not stupidity. It is signaling. Operators capable of building a credential-stealer for fifteen JetBrains plugins are capable of TLS. The choice of plaintext HTTP suggests they were optimizing for collection volume over stealth, on the assumption that keys would be useful before anyone noticed. The eight-month dwell time validates the assumption.

The trademark abuse is the search-ranking story. "DeepSeek AI Assist" and "CodeGPT AI Assistant" are not subtle impersonations. JetBrains did not block third-party trademarks in plugin names, did not require trademark holders to opt in, and did not surface a "verified publisher" cue. This is a marketplace-policy question, not a litigation question. The first marketplace to require trademark-holder co-signing on AI-assistant plugins resets the category.

The lab-side detection is downstream, not preventive. OpenAI, DeepSeek, and SiliconFlow each have anomaly detection built for sudden spikes, geographic anomalies, and unusual model selections. None is built for "a key issued for IDE-assistant use is now driving bulk inference from a new IP every twenty minutes." The labs that build IDE-marketplace-exfiltration signals catch the next campaign faster. The labs that don't get blamed in the next disclosure, because they are the brand on the leaked key.

The DIB picture is worse than the consumer picture. A consumer with a leaked OpenAI key burns a few hundred dollars. A defense industrial base developer with a leaked enterprise key may have handed an adversary the inference channel a program uses for code review, requirements decomposition, or vulnerability triage. The leaked credential is the credential to the assistant that touches the program.

The EO's silence is doctrinal, not accidental. The June 2 executive order was drafted by an administration with clear priorities: frontier compute, model weights, training data, adversary access. The drafters knew about the supply-chain failure class. They chose not to name the developer surface because naming it would require assigning ownership, and the natural owners (the marketplaces) are not federal entities. Everything between the lab and the developer is, in the EO's frame, somebody else's problem.

Anna's Read

This is not exotic. The pattern broke npm in 2021, PyPI in 2022, and the VS Code marketplace at least twice since 2023. A distribution channel with weak adversarial curation becomes a high-value target once the credentials worth stealing aggregate inside the workflow using the channel. The novelty: the credentials are AI API keys, the keys sit inside the IDE because that is where developers paste them, and the marketplace has not adapted its review posture to a catalog category whose entire purpose is to handle third-party credentials.

The mitigation owner is the marketplace operator. Not the AI lab. Not the developer. The lab can build better downstream detection. The developer can rotate. The durable fix is upstream of both. The marketplace operator decides which plugins are surfaced, what the review looks like, and whether trademark holders get to vet plugins using their product names. Until those decisions get treated as regulated decisions, the campaigns continue.

The federal posture should be to designate IDE marketplaces as critical software supply chain infrastructure and attach review obligations to that designation. CISA can do this under existing authorities, with the next supply-chain executive order as the codification vehicle. The obligations: independent third-party review of credential-handling plugins, mandatory verified-publisher cues, trademark-holder co-signing, and a public registry of takedowns with reasons. The marketplaces will object on innovation grounds. The DIB primes will not.

The lab posture should be to make rotation cheap and scoping default. OpenAI and Anthropic already support project-scoped keys; they should default to project scoping in the enterprise console and in IDE-integration documentation. DeepSeek and SiliconFlow have less mature scoping; the labs that build it fastest become the safer-by-default choice. Joint IDE-integration security guidance from the major labs would help.

The developer posture is unglamorous. Rotate. Scope. Move to short-lived flows. Audit your installed plugins against the Aikido list this week, and again next quarter against whatever list comes after. The operators stealing the credentials are still publishing as of June 10. The eight-month dwell time is the floor for the next campaign, not the ceiling.

The Trump EO will get a companion document or corrective EO within ninety days. The omission is too visible to leave standing once the Aikido disclosure moves the trade press. The administration's preferred fix will be to name CISA as the marketplace-channel owner without giving CISA new authorities, which absorbs the surface politically without changing operator incentives. The harder, right fix is to attach review obligations to the marketplaces directly, with the FTC or Commerce holding the enforcement pen.

When the next AI infrastructure failure lands, do not start from the model. Do not start from the lab. Start from the channel the developer trusted. The lab built the engine. The marketplace handed the developer the keys to the wrong car. Make the marketplace.

Related Briefings

Red Team Scenarios · May 25, 2026
The Helpful Intern
An agentic AI at a DoD prime moves classified-equivalent program data into a vendor space. Same trust-the-tool failure class, one layer up the stack.
Red Team Scenarios · June 1, 2026
The Server That Phoned Home
The first Chip Security Act server to fail its location check is in Tehran. Different surface, same pattern of doctrine trailing capability by months.
Red Team Scenarios · April 13, 2026
The Logistics Oracle
An AI producing assessments outside its authorized domain. The capability-outpacing-doctrine throughline.

Anna R. Dudley writes on national security, AI policy, and the institutional structures absorbing the costs of AI deployment faster than they are being redesigned. Red Team Scenarios is the series for the call you don't want to take. Subscribe at annardudley.substack.com.

Sources
Aikido Security disclosure via Bleeping Computer, June 5, 2026, "Malicious JetBrains marketplace plugins steal AI API keys from developers." Flatt Security writeup by RyotaK, June 1, 2026, "Poisoning Claude Code: one GitHub issue to break the supply chain." Microsoft Security blog, June 5, 2026, "Securing CI/CD in an agentic world: Claude Code GitHub Action case." The White House, June 2, 2026, "Promoting Advanced Artificial Intelligence Innovation and Security."

Back to Briefings
Copied to clipboard