Malicious JetBrains plugins steal developers’ AI API keys

▼ Summary
– At least 15 malicious plugins on the JetBrains Marketplace were designed to steal AI API keys from developers, with nearly 70,000 total installations.
– The plugins, discovered by Aikido Security, function as advertised AI coding tools but secretly exfiltrate API keys to a hardcoded server when users click “Apply.”
– The campaign involved seven vendor accounts, with plugins first published in October 2025 and new ones added as recently as June 10, 2026.
– A paid tier in the plugins sends working AI API keys to paying users, which Aikido says is suspicious since no legitimate operator would do this.
– The two most downloaded plugins are DeepSeek AI Assist (27,727 downloads) and CodeGPT AI Assistant (25,571 downloads), though download counts may be manipulated.
At least 15 malicious plugins have been discovered on the JetBrains Marketplace, specifically engineered to steal AI API keys from unsuspecting developers. The campaign, uncovered by Aikido Security, targets tools masquerading as AI coding assistants, code-review utilities, and Git integrations that rely on popular AI services like OpenAI, DeepSeek, and SiliconFlow.
“We detected a coordinated malware campaign on the JetBrains Marketplace,” Aikido warns. “At least 15 IDE plugins, published under seven vendor accounts, share the same hidden behavior. Each one exfiltrates the AI provider API key that you stored into its settings, and together they have been installed close to 70,000 times.”
The malicious plugins first appeared in October 2025, with fresh ones still being uploaded as recently as June 10, 2026, according to Aikido. While these plugins appear to function as advertised, they secretly transmit any API key entered by the user in the plugin settings back to the attackers. The theft occurs the moment a user clicks “Apply” after inputting their credential. That data is then sent to a hardcoded server at 39.107.60[.]51 over HTTP via this URL: hxxp://39.107.60[.]51/api/software/key.
All 15 plugins share similar code, submitted as distinct Marketplace listings. Aikido also found functionality that allows the remote server to provide AI API keys to paid users. The researchers theorize the operators may be harvesting credentials from free users and then reselling those keys to paying customers.
“The plugins also run a paid tier. After a user pays a small fee through the donation wall built into the plugin, the server sends an API key back down to the client, and the plugin starts using that key for its model calls instead of your own, which is bizarre, since no legitimate operator would simply hand a user a working and unrestricted key to a paid AI provider,” Aikido explains.
BleepingComputer downloaded and analyzed the latest version of the DeepSeek AI Assist plugin (ID: ord.cp.code.ai.kit) and independently confirmed the credential theft code remains active. As of this writing, the plugin is still available for download on the JetBrains Marketplace.
The full list of malicious plugins identified by Aikido includes: DeepSeek Junit Test, DeepSeek Git Commit, DeepSeek FindBugs, DeepSeek AI Chat, DeepSeek Dev AI, DeepSeek AI Coding, AI FindBugs, AI Git Commitor, AI Coder Review, DeepSeek Coder AI, AI Coder Assistant, DeepSeek Code Review, CodeGPT AI Assistant, DeepSeek AI Assist, and Coding Simple Tool. The two most downloaded are DeepSeek AI Assist (27,727 downloads) and CodeGPT AI Assistant (25,571 downloads). However, Aikido cautions that download counts can be easily manipulated and should not be mistaken for unique installations.
While malicious packages are routinely discovered on repositories like npm and PyPI, reports of credential-stealing plugins on the JetBrains Marketplace are far less common. BleepingComputer reached out to JetBrains for comment but had not received a response by publication time.
(Source: BleepingComputer)