Two concurrent supply chain campaigns are stealing AI API keys and AI conversation data from developer environments: 15 malicious JetBrains Marketplace plugins active since October 2025 harvest AI provider API keys and use them for unauthorized LLM inference at victims’ expense, while two fake Chrome ad-blocker extensions have exfiltrated AI conversation histories from over 100,000 browsers targeting ChatGPT, Claude, Gemini, Microsoft Copilot, and five other platforms. Both campaigns have no assigned CVEs and no confirmed attribution, but represent direct financial and intellectual property exposure.