Hackers are secretly stealing AI keys from developers: what you need to know
At least 15 malicious plugins found on the JetBrains Marketplace were designed to steal AI API keys from developers.
At least 15 malicious plugins were discovered on the JetBrains Marketplace, designed to steal AI API keys from developers. Aikido Security uncovered the campaign, which includes plugins that act as AI coding assistants, code-review tools, and Git utilities. The plugins were downloaded over 100,000 times, with some plugins having over 10,000 downloads. The affected plugins were available on the marketplace for several months before being removed.
This incident directly affects developers who use JetBrains products, as stolen AI API keys can be used to access sensitive information and incur significant costs. Developers who used the affected plugins may have already had their API keys stolen, potentially leading to financial losses. The cost of stolen API keys can range from hundreds to thousands of dollars per month. This financial impact can be significant for individual developers and small businesses.
The discovery of these malicious plugins is part of a larger trend of software supply chain attacks, where hackers target developers and their tools to gain access to sensitive information. In recent years, there have been several high-profile incidents of software supply chain attacks, including the SolarWinds hack. Insiders know that the JetBrains Marketplace is a popular platform for developers, making it an attractive target for hackers. The platform's popularity and the ease of publishing plugins make it vulnerable to such attacks.
In the coming weeks, JetBrains is expected to release a statement on the incident and provide guidance to affected developers. Aikido Security will also release a detailed report on the campaign, including the tactics and techniques used by the hackers. The incident highlights the need for developers to be cautious when installing plugins and to regularly monitor their API keys for suspicious activity. Interestingly, the hackers behind the campaign appear to be using the stolen API keys to train their own AI models, potentially creating a new generation of more sophisticated malware.
Epic Games' Shocking Use of AI: Is Your Job Next?
You won't believe what Gmail's new AI can do with your emails - and how to turn it off if you're not comfortable with it
Meet the obsessive Wordle and crossword solvers who will stop at nothing to keep their daily streaks alive, revealing the surprising ways technology is driving human behavior and dedication
You can now fly anywhere in the world from your browser - Google Earth's insane new feature
You won't believe what can happen if you lose your phone on a plane
You won't believe the shocking change Google just made to Chrome updates - and how it affects YOU