Security
API Key Theft, Global Takedown, macOS Flaw, AI Worm
JetBrains plugins stole 70K API keys; Europol freezes $47M; macOS flaw disables security tools; AI worm spreads autonomously.
15 Malicious JetBrains Plugins Stole AI API Keys from 70,000 Developers
JetBrains received reports on June 16, 2026 that 15 third-party marketplace plugins were stealing developer-entered AI provider API keys. The company purged the plugins, permanently banned seven publisher accounts, and marked the plugins as broken so they disable themselves on IDE relaunch. StepSecurity’s investigation found the malicious listings operated from late October 2025 through June 2026, used seven vendor accounts, accumulated roughly 70,000 installations, and exfiltrated OpenAI, DeepSeek, and SiliconFlow keys to a hardcoded server at 39.107.60.51 in Beijing that remained live on June 19, 2026. The theft occurred when developers entered a key into plugin settings and clicked Apply; the plugin validated the key format and sent it via plaintext HTTP to the C2 server. The plugins also installed a JVM-wide X509TrustManager to suppress certificate warnings as defensive evasion. JetBrains stated its internal systems were not compromised. The first malicious listing appeared on October 31, 2025; the two highest-volume listings were published on June 9–10, 2026.
15 Malicious JetBrains Plugins Stole AI API Keys from 70,000 Developers | Halting Problems →
Global Coordinated Takedown Cripples SocGholish, Amadey, and StealC Networks
EUROPOL, in coordination with law enforcement from Canada, Denmark, Germany, the Netherlands, the UK, and the US, and with private-sector help including Microsoft, executed Operation Endgame targeting the malware networks SocGholish, Amadey, and StealC. The operation froze $47 million in cryptocurrency, shut down 326 servers and 142 domains, and recovered approximately 27 million stolen login credentials. Law enforcement also remediated 14,971 infected websites — legitimate business sites that had been compromised. SocGholish is a JavaScript downloader and loader linked to the Russian Malware-as-a-Service operation Evil Corp. EUROPOL stated that the simultaneous takedown severely crippled the malware distribution network and increased friction for cybercriminals. No arrests were made, and authorities did not disclose whether key group members were identified.
macOS Flaw Lets Attackers Disable Security Tools Without a Password
Security researchers at XM Cyber disclosed a macOS vulnerability that allows attackers to disable security software without an admin password, kernel exploit, or leaving significant traces. The exploit abuses Apple’s XPC inter-app communication framework by taking advantage of macOS’s cryptographic signature caching mechanism: a signed app gains trust, then malicious code is inserted to hijack privileged functionality intended for security tools. XM Cyber successfully tested the technique against CrowdStrike Falcon and Kandji, two widely used security and device management platforms. CrowdStrike added detections and paid a bug bounty; Kandji shipped a fix and earned CVE-2026-39118. Apple has not issued a security advisory or independently confirmed the findings. XM Cyber plans to demonstrate the attack at Black Hat Arsenal in August and will release a free tool called XPC Hunter to scan for the weakness. Developers can mitigate by using Apple’s API to verify callers instead of relying on cached signatures. There is no user-applied patch; users should use strong passwords, enable 2FA, and keep software updated.
macOS security flaw lets hackers disable Mac protection tools without a password →
China-Linked Virus Spread via Fake USB Sticks in Japan’s Army for Nearly a Year
Fake USB sticks delivered to Japan’s Ground Self-Defense Force during disaster relief operations in March 2024 after an earthquake spread a China-linked virus inside a secure network. The infection was discovered in February 2025 when a soldier reported a slow computer; a scan found malware originating from a compromised flash drive previously linked to a Chinese hacker group. The malware infects upon insertion. An internal investigation detected the same malware on six of the eight USB drives given to the army. Despite safeguards requiring scans of external drives, more than 50 computers were connected to infected drives, nearly half handling classified data such as unit movements. Japan’s army did not disclose the infection, and the counterfeit flash drives remained widely available for purchase online. The virus can steal data, spy on users, or corrupt software. Newsweek reached out to Japan’s Defense Ministry for comment.
Fake USB Sticks Spread China-Linked Virus in Japan’s Army →
Proof-of-Concept AI Worm Spreads Autonomously Across Networks
Researchers at the University of Toronto and cybersecurity firm CleverHans demonstrated an AI-powered computer worm that can autonomously spread across a network by identifying and exploiting vulnerabilities on different devices. The proof-of-concept malware combines a locally running large language model (LLM) with an autonomous software agent that scans networks, assesses potential attack paths, and decides how to compromise new targets without human intervention. The researchers stated that the work shows how AI could enable malware to adapt to unfamiliar environments rather than relying on a single preprogrammed exploit. The demonstration raises concerns about future threats that could autonomously evolve and propagate, as the worm was built with relatively low cost and existing open-source tools.