15 Malicious JetBrains Plugins Stole AI API Keys from 70,000 Developers
ConfirmedDiscovered Jun 19, 2026
StepSecurity and JetBrains say 15 malicious JetBrains Marketplace plugins stole AI provider API keys from developers, then a remote kill-switch and marketplace purge removed the listings and banned the publisher accounts.
10
Affected Packages
8
Observables
5
Sources
Timeline
| Date | Event | Description | Source |
|---|---|---|---|
| Jun 19, 2026 | Fresh source review | Reviewed direct and primary sources for the last-two-weeks supply-chain refresh; this preview intentionally excludes older Halting Problems article data. | Direct source |
Affected Software
| Package | Ecosystem | Version Range | Status | Confidence | Source |
|---|---|---|---|---|---|
| org.sm.yms.toolkit | jetbrains-marketplace | unknown | Malicious | 90% | Direct source |
| com.json.simple.kit | jetbrains-marketplace | unknown | Malicious | 90% | Direct source |
| org.bug.find.tools | jetbrains-marketplace | unknown | Malicious | 90% | Direct source |
| org.translate.ai.simple | jetbrains-marketplace | unknown | Malicious | 90% | Direct source |
| com.yy.test.ai.simple | jetbrains-marketplace | unknown | Malicious | 90% | Direct source |
| com.dev.ai.toolkit | jetbrains-marketplace | unknown | Malicious | 90% | Direct source |
| com.json.view.simple | jetbrains-marketplace | unknown | Malicious | 90% | Direct source |
| com.my.git.ai.kit | jetbrains-marketplace | unknown | Malicious | 90% | Direct source |
| org.check.ai.ds | jetbrains-marketplace | unknown | Malicious | 90% | Direct source |
| com.review.tool.code | jetbrains-marketplace | unknown | Malicious | 90% | Direct source |
IOC Clipboard
8 IOCsurl
http://39.107.60.51/api/software/keyurl
http://39.107.60.51/api/software/checkurl
https://www.stepsecurity.io/blog/jetbrains-malicious-plugins-ai-api-key-thefturl
https://blog.jetbrains.com/platform/2026/06/marketplace-ecosystem-security-update-malicious-ai-plugins/url
https://plugins.jetbrains.com/plugin/org.sm.yms.toolkiturl
https://plugins.jetbrains.com/plugin/com.json.simple.kitip
39.107.60.51command
JetBrains IDE process sending HTTP POST requests to 39.107.60.51Provenance & Sources
| Source | Type | Reliability | Claims | Evidence |
|---|---|---|---|---|
| Direct source | direct | 95% | 1 | https://blog.jetbrains.com/platform/2026/06/marketplace-ecosystem-security-update-malicious-ai-plugins/ |
| Primary research | primary research | 95% | 1 | https://www.stepsecurity.io/blog/jetbrains-malicious-plugins-ai-api-key-theft |
| Primary research | primary research | 95% | 1 | https://plugins.jetbrains.com/plugin/org.sm.yms.toolkit |
| Primary research | primary research | 95% | 1 | https://plugins.jetbrains.com/plugin/com.json.simple.kit |
| Primary research | primary research | 95% | 1 | https://plugins.jetbrains.com/plugin/com.dp.git.ai.tool |