IntelliJ has a deprecated PasswordUtil class that statically xors secrets for storage. Some plugins like Sonarlint (from Sonarqube) still use this outdated class to store passwords and tokens.
The encoding
The source for PasswordUtil shows that it simply xors the password with 0xdfaa.
Usage in plugins
PasswordUtil contains the following deprecated warning since 2018, but some plugins still use it to store credentials.
@deprecated Credentials MUST BE stored in ({@link com.intellij.ide.passwordSafe.PasswordSafe})
An example of a vulnerable plugin is Sonarlint, which is the official IntelliJ plugin from Sonarqube. Last year someone created a pull request to securely store credentials, but it broke some checks and there is no follow-up. The current master branch still uses EncodePassword.
If we search for "path:intellij "PasswordUtil.encodePassword" NOT sonarlint", we still see 49 results with different plugins like tasks, remote, dbn, remotesdk and vssSupport.
Searching for tokens and passwords in peoples' sonarlint.xml shows over 50 results. However, searching "path:.idea/webServers.xml password" shows a staggering 896 files. I don't know which plugin generates this webSevers.xml file.
Examples
An example of an exposed Sonarlint token can be found here in sonarlint.xml. The first token between the token tags is:
df9ddf9cdf9ddfcfdf9cdfcedfc8dfc9df98df9cdf99df93df93df98df9edf9ddfcfdf9cdf9fdf92df9cdfcbdfccdfc8dfc9df9bdf9ddf9ddf9adf9fdf92dfc9df9ddf9ddfcedf92df9adfc9df92df9d
This decodes to the token: 767e6dbc26399247e6586afbc177058c77d80c87. Another example is this webServers.xml with the encoded SFTP password 'hellomoto'.