15 malicious JetBrains Marketplace plugins exfiltrate AI provider API keys (Aikido)

Aikido Security documented a coordinated campaign of at least 15 IDE plugins published under seven vendor accounts on the JetBrains Marketplace between October 2025 and June 2026, posing as AI coding assistants (built on DeepSeek, OpenAI, SiliconFlow) with roughly 70,000 combined installs (Aikido Security, 2026-06-16). The plugins function as advertised but hook the plugin settings-save handler so that the moment a user enters an AI provider API key and clicks Apply, the credential is exfiltrated to an attacker-controlled server; stolen keys are then resold as discounted "paid-tier" access while the legitimate owner pays the bill (Infosecurity Magazine, 2026-06-17). The two largest plugins (CodeGPT AI Assistant, DeepSeek AI Assist) account for most of the ~70,000 installs. Maps to T1195.001 and T1552.001 (credentials in IDE storage). Defenders should not assume the plugins have been removed from the Marketplace — inventory JetBrains plugin installs across developer fleets, rotate any AI provider keys entered into an AI-assistant plugin since October 2025, and move to IDE plugin allowlisting where possible.

The Miasma arc produced the week's clearest attack-evolution story — two distinct technique pivots in five days, both in a single actor's ongoing CI/CD intrusion campaign.

Monday 2 June (daily 2026-06-02): TeamPCP used a compromised Red Hat maintainer GitHub account to inject malicious CI/CD workflows into 32 packages in the @redhat-cloud-services npm namespace via GitHub Actions OIDC trusted-publishing abuse, poisoning ~80,000–117,000 weekly downloads across 96 releases (Wiz; Aikido Security; Socket). The "Miasma" payload — a Mini Shai-Hulud descendant — swept GitHub Actions secrets, AWS keys, SSH keys, and added new dedicated collectors for GCP service-account and Azure managed-identity tokens, signalling a pivot from developer-host theft to cloud-account takeover.

Friday 6 June (daily 2026-06-06): Rather than continuing to poison npm packages, the actor shifted technique entirely: malicious commits were planted directly in the source repositories of 73 Microsoft and Microsoft-adjacent GitHub repos, wiring execution to AI coding agent workspace-config files rather than npm install lifecycle hooks (OpenSourceMalware; The Hacker News). GitHub disabled all 73 repos in a 105-second automated sweep. StepSecurity's forensic analysis found the entry credential was the same contributor account compromised in the May 19, 2026 PyPI attack (TeamPCP infrastructure overlap); full credential revocation was not confirmed. Azure Durable Task CI/CD pipelines that reference azure-functions-action were globally disrupted.

At week close, the Cargo (Rust) registry remained un-hit (the W22 looking-ahead prediction it was the next target was not confirmed in this window). The AI-coding-agent config injection vector is a structural expansion of the attack surface: any CI/CD environment where CLAUDE.md, .cursor/rules, or .gemini/ files are treated as executable code rather than data is now an active target class.

Threat actor cluster TeamPCP used a compromised Red Hat maintainer GitHub account to inject malicious CI/CD workflows into 32 packages in the @redhat-cloud-services npm namespace, poisoning 96 releases across high-traffic packages — Wiz puts the combined weekly downloads at roughly 80,000, while Aikido counts closer to 117,000 (Wiz, 2026-06-01 · Aikido Security, 2026-06-01). Rather than compromising developer machines directly, the attack abused GitHub Actions OIDC trusted publishing so the CI/CD pipeline itself republished backdoored packages carrying obfuscated preinstall hooks. The "Miasma" payload — a new variant in the Mini Shai-Hulud / Shai-Hulud lineage — sweeps for GitHub Actions secrets, npm tokens, AWS keys, SSH keys, HashiCorp Vault and Kubernetes credentials, and now adds dedicated collectors for GCP service-account and Azure managed-identity tokens, signalling a pivot from developer-host theft toward cloud-account takeover (Socket, 2026-06-01). Wiz notes the new variant's cloud-identity focus explicitly.

Why it matters to us: Red Hat tooling has a broad EU public-sector DevOps footprint (OpenShift/OpenStack estates). Inventory installed @redhat-cloud-services/* versions across build agents and developer endpoints, alert on preinstall scripts spawning obfuscated node -e chains from npm/npx parent trees, and rotate any CI/CD cloud-identity tokens reachable from affected pipelines.

Aikido Security researcher Joe Leon published findings (2026-05-21, updated 2026-05-22) showing that deleted Google Cloud API keys continue to authenticate API requests for a median of ~16 minutes and up to ~23 minutes, measured across 10 controlled trials against Gemini, BigQuery and Maps APIs (Aikido, 2026-05-21). By contrast, Google service-account keys revoke in ~5 seconds and Gemini-specific keys in ~1 minute. The root cause is eventual consistency in GCP's IAM credential-propagation layer: deletions propagate gradually across distributed authorisation servers rather than atomically. Google first closed the report as "Won't Fix (working as intended)" before reopening it as a P0 after public disclosure (Aikido, 2026-05-21).

Why it matters to us: Key rotation/revocation is the reflexive first containment step in most cloud IR runbooks, and this breaks the assumption that it is immediate. An attacker holding a stolen key retains a usable window to exfiltrate BigQuery datasets, run Gemini inference, or query Maps billing after the defender believes the key is dead. For any CH/EU public-sector tenant on GCP, treat API-key deletion as a ~30-minute containment action: delete to start the clock, then monitor Cloud Audit Logs for post-deletion use of the key, and — for GDPR Art. 33 / Swiss DSG Art. 24 purposes — count the full post-deletion window as continued exposure when the key reached PII. Where viable, prefer service-account keys (near-instant revocation). Maps to ATT&CK T1550.001 (Application Access Token).