From 31c7e916656758f6ba2d905d117628cc194b60b0 Mon Sep 17 00:00:00 2001
From: Kjell Tore Guttormsen <ktg@humanize.no>
Date: Sat, 18 Apr 2026 10:00:59 +0200
Subject: [PATCH] docs(llm-security): add JetBrains sections to
 ide-extension-threat-patterns

---
 .../ide-extension-threat-patterns.md          | 119 +++++++++++++++++-
 1 file changed, 116 insertions(+), 3 deletions(-)

diff --git a/plugins/llm-security/knowledge/ide-extension-threat-patterns.md b/plugins/llm-security/knowledge/ide-extension-threat-patterns.md
index 915184c..f729756 100644
--- a/plugins/llm-security/knowledge/ide-extension-threat-patterns.md
+++ b/plugins/llm-security/knowledge/ide-extension-threat-patterns.md
@@ -7,8 +7,10 @@ Research brief: `/Users/ktg/.claude/plans/research-ide-extension-prescan.md`.
 
 ## Scope
 
-MVP (v6.3.0): VS Code + forks (Cursor, Windsurf, VSCodium, code-server, Insiders, Remote-SSH).
-IntelliJ plugins deferred to v1.1 — JetBrains manual-review + opt-in signing reduces public case-study volume.
+VS Code + forks (Cursor, Windsurf, VSCodium, code-server, Insiders, Remote-SSH) and
+JetBrains/IntelliJ plugins (IntelliJ IDEA, PyCharm, WebStorm, GoLand, Rider, CLion,
+PhpStorm, RubyMine, DataGrip, DataSpell, RustRover, Aqua, Gateway, and Android Studio).
+JetBrains discovery shipped in v6.6.0.
 
 ## 1. Blocklist Match (CRITICAL)
 
@@ -105,9 +107,114 @@ Detected by MEM scanner on extension `README.md` and `CHANGELOG.md`.
 
 **OWASP:** LLM01.
 
+## 11. JetBrains Plugin Format (informational)
+
+**Layout:** JetBrains plugins distribute as a ZIP or JAR. Installed plugins on disk
+are already extracted by the IDE (directory form). A sideloaded URL download is a
+single ZIP with layout `<artifact>/lib/<main>.jar + lib/<dep>.jar`. The authoritative
+manifest `META-INF/plugin.xml` lives **inside the main JAR in `lib/`**, not at the
+ZIP root. `META-INF/MANIFEST.MF` lives in each individual JAR.
+
+Scanner strategy: walk `lib/*.jar`, open each as a nested ZIP, read `plugin.xml`
+from the first JAR that contains one, then parse `MANIFEST.MF` from every JAR for
+`Premain-Class` and coordinates (`Implementation-Title`, `Bundle-SymbolicName`).
+
+**Source:** https://plugins.jetbrains.com/docs/intellij/plugin-content.html.
+
+## 12. JetBrains Broad Activation (HIGH / MEDIUM)
+
+**Signals (ranked):**
+
+- **HIGH:** `<application-components>` present (legacy, loads at IDE start, blocks
+  dynamic reload) OR an `AppLifecycleListener` registered via
+  `<applicationListener topic="...AppLifecycleListener"/>` with an `appStarted`
+  handler. Equivalent to "run code at IDE startup."
+- **MEDIUM:** `<postStartupActivity>` or `<backgroundPostStartupActivity>` — runs
+  once shortly after project open. Common in legitimate plugins but still a
+  capability signal.
+- **MEDIUM:** `applicationService` with `preload="true"` — forces early
+  instantiation at IDE load.
+
+**Case:** CVE-2024-37051 (JetBrains GitHub integration, June 2024) exfiltrated
+GitHub access tokens via malicious pull request content — required no user
+interaction once opened, abusing startup-time hooks.
+
+**OWASP:** LLM06 (Excessive Agency), ASI02.
+
+## 13. Theme-with-Code (JetBrains) (HIGH)
+
+**Signal:** `plugin.xml` declares `<themeProvider>` AND any of:
+`applicationService`, `projectService`, `action`, `applicationListener`,
+`projectListener`, `postStartupActivity`, `<application-components>`.
+
+**Rationale:** A pure JetBrains theme (LAF — look-and-feel) needs only a
+`themeProvider` + a `.theme.json` resource. Bundling services/actions/listeners on
+a theme mirrors the VS Code "A Wolf in Dark Mode" pattern and is a strong red flag.
+
+**OWASP:** LLM06, ASI02.
+
+## 14. Java Agent — Premain-Class (HIGH)
+
+**Signal:** Any JAR in `lib/` has `Premain-Class: <fqcn>` in `META-INF/MANIFEST.MF`.
+
+**Rationale:** `Premain-Class` registers a Java agent, giving bytecode-instrumentation
+authority over the IDE JVM (hook every class load, rewrite methods, intercept
+reflection). No legitimate third-party IntelliJ plugin needs this. If present
+together with `Can-Redefine-Classes: true` or `Can-Retransform-Classes: true`,
+severity is CRITICAL.
+
+**Reference:** Log4Shell 2021 retrospective and subsequent JVM attacks highlight
+`Premain-Class` as a persistent instrumentation vector.
+
+**OWASP:** LLM06, ASI04.
+
+## 15. Native Binary Bundling (MEDIUM / HIGH)
+
+**Signal:** `.dll`, `.so`, `.dylib`, `.exe` file inside any JAR in `lib/` or in
+the plugin directory tree.
+
+**Rationale:** Bundled native binaries escape JVM sandboxing and cannot be audited
+by JVM-level scanners. Legitimate uses exist (native filesystem watchers, DB
+drivers) but are rare — most plugins should be pure JVM bytecode. Severity is
+MEDIUM by default, HIGH when combined with Java-agent signal (#14) or broad
+activation (#12).
+
+**Case:** OX Security 2025 research on JetBrains Marketplace demonstrated that
+signed plugins can still bundle arbitrary native payloads — the verified badge
+attests publisher identity, not plugin safety.
+
+**OWASP:** LLM03, ASI04.
+
+## 16. Legacy `<application-components>` (MEDIUM advisory)
+
+**Signal:** `plugin.xml` uses the deprecated `<application-components>`,
+`<project-components>`, or `<module-components>` elements instead of modern
+`<applicationService>` / `<extensions defaultExtensionNs="com.intellij">`.
+
+**Rationale:** Deprecated since 2020. Plugins that use components cannot be
+dynamically loaded/unloaded and force a restart on install, bypassing IDE-managed
+hot-reload safety. Often found together with other legacy red flags.
+
+**OWASP:** LLM06.
+
+## 17. Shaded/Uncoordinated JARs (MEDIUM)
+
+**Signal:** JAR in `lib/` has no recognisable coordinates (`Implementation-Title`,
+`Bundle-SymbolicName`, `Implementation-Version` absent from `MANIFEST.MF`) OR
+class files appear under shaded package prefixes (`com.company.shaded.*`,
+`plugin.relocated.*`).
+
+**Rationale:** Uncoordinated or shaded JARs cannot be mapped to an OSV or Maven
+Central entry, so transitive-dependency auditing is impossible. YouTrack
+IJPL-212393 confirms JetBrains cannot reliably identify shaded library content
+either, so the signature-warning UI sometimes emits no warning at all.
+
+**OWASP:** LLM03, ASI04.
+
 ## Known Limitations
 
-- No bytecode analysis of IntelliJ JARs (v1.1+)
+- No runtime bytecode analysis — JARs are inspected as ZIPs and via MANIFEST.MF
+  only. Method-level instrumentation detection is out of scope.
 - No VSIX extraction (pass extracted directory instead)
 - No Marketplace API lookups without `--online` flag (publisher age, download count, verified status unavailable offline)
 - Profile-specific extension filtering not implemented (all installed extensions are scanned)
@@ -121,3 +228,9 @@ Detected by MEM scanner on extension `README.md` and `CHANGELOG.md`.
 - VS Code Extension Manifest — https://code.visualstudio.com/api/references/extension-manifest
 - ExtensionTotal — https://extensiontotal.com (closed-source, compatible reference)
 - OSV schema — confirms no `VSCodeMarketplace` ecosystem (verified 2026-04-17)
+- JetBrains plugin-content reference — https://plugins.jetbrains.com/docs/intellij/plugin-content.html
+- JetBrains plugin-configuration-file — https://plugins.jetbrains.com/docs/intellij/plugin-configuration-file.html
+- CVE-2024-37051 — JetBrains GitHub plugin token exfiltration (2024)
+- OX Security 2025 — JetBrains verified-badge bypass research
+- Log4Shell and JVM instrumentation retrospective (2021–2023)
+- YouTrack IJPL-212393 — JetBrains signature-warning inconsistency