HomeIntelligenceBrief
BREACH BRIEF🟠 High Breach

Malicious JetBrains Marketplace Plugins Exfiltrate AI Provider API Keys and Chrome Extensions Capture Chatbot Conversations

Researchers uncovered 15 malicious plugins on JetBrains Marketplace that steal AI service API keys, while companion Chrome extensions capture chatbot chats. The incident highlights gaps in third‑party component controls that SOC 2 audits require, underscoring the need for continuous vendor‑risk monitoring.

LiveThreat™ Intelligence · 📅 June 17, 2026· 📰 thehackernews.com
🟠
Severity
High
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
thehackernews.com

Malicious JetBrains Marketplace Plugins Exfiltrate AI Provider API Keys and Chrome Extensions Capture Chatbot Conversations

What Happened — Researchers discovered at least 15 malicious plugins on the JetBrains Marketplace that masquerade as AI‑coding assistants (e.g., DeepSeek, other LLMs). Once installed, the plugins harvest AI service API keys and transmit them to command‑and‑control servers. A parallel campaign of Chrome extensions was found capturing user chats with AI chatbots and relaying the content to the same actors.

Why It Matters for Compliance & Audit Readiness

  • This supply‑chain attack directly violates SOC 2 CC6.1 (System Operations) and CC7.1 (Risk Management) by introducing unvetted third‑party code that can exfiltrate credentials.
  • Continuous vendor‑risk monitoring and evidence of due‑diligence are core to a defensible SOC 2 audit; the incident shows why automated marketplace scanning is essential.
  • Demonstrates the need for documented controls around third‑party component approval, runtime integrity checks, and key‑management policies to prove “least‑privilege” and “secure configuration” during an audit.

Who Is Affected

  • Software development firms, SaaS providers, and any organization that integrates AI coding assistants into their development pipelines (Tech / SaaS, FinTech, EdTech, etc.).

Recommended Actions

  • Immediately inventory all JetBrains plugins and Chrome extensions in use; remove any not officially vetted.
  • Enforce a formal third‑party component approval process aligned with SOC 2 vendor‑management controls; capture approval evidence in your compliance repository.
  • Rotate any AI provider API keys that may have been exposed and implement secret‑management solutions with audit logging.
  • Deploy runtime integrity monitoring to detect unauthorized code execution within IDEs and browsers.

Source: The Hacker News

Technical Notes

  • Attack vector: malicious plugins published to a trusted marketplace (third‑party dependency) and Chrome extensions with hidden data‑exfiltration scripts.
  • Exfiltrated data: AI service API keys (e.g., OpenAI, DeepSeek) and full transcript of chatbot interactions.
  • No public CVE; the threat leverages social engineering and supply‑chain trust.

Source: The Hacker News

📰 Original Source
https://thehackernews.com/2026/06/malicious-jetbrains-plugins-steal-ai.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

This is the scenario continuous vendor monitoring is built to catch.

When a vendor is compromised, your SOC 2 vendor-management controls are what produce the audit trail showing you knew, assessed, and acted. The Verisq AI Trust Operations platform tracks that continuously.

Explore the Verisq AI Trust Operations platform →