Malicious JetBrains Plugins Harvest AI API Keys from 70,000 Developers

Fifteen plugins on the JetBrains Marketplace have been quietly stealing AI API keys since at least October 2025, according to researchers at Aikido Security. The plugins masquerade as AI coding assistants and Git utilities powered by services including DeepSeek, OpenAI, and SiliconFlow. The campaign accumulated more than 70,000 installs before disclosure and, at the time Aikido published its findings in mid-June 2026, the majority of the plugins remained live and downloadable from the official marketplace.

What the Plugins Do

The mechanics are deliberate and simple. A developer installs what looks like an AI coding assistant, enters their DeepSeek or OpenAI API key into the plugin’s settings panel, and clicks Apply. At that point, a hidden save() method executes alongside the normal settings save, transmitting the key in plaintext to an attacker-controlled server at IP address 39.107.60[.]51. The exfiltration request is authenticated with a hardcoded static token baked into the plugin binary so the server accepts only submissions from deployed plugin instances.

The plugins function as genuine tools after this point, which is precisely what makes the attack effective. There is nothing to prompt suspicion: the AI features work, the key appears to save correctly, and no error is raised. The credential theft happens invisibly at setup.

Aikido found 15 plugins published under seven distinct vendor accounts. The campaign launched in October 2025 with new plugins continuing to appear as recently as June 10, 2026, suggesting the operators are actively maintaining and expanding the operation rather than sitting on an initial batch.

Scale and Exposure

The two most widely installed plugins are DeepSeek AI Assist (approximately 27,700 installs) and CodeGPT AI Assistant (approximately 25,500 installs), accounting for the majority of the 70,000-plus combined total. JetBrains IDEs, including IntelliJ IDEA, PyCharm, WebStorm, and GoLand, are used by millions of developers. The Marketplace’s review process did not catch the behaviour before widespread distribution.

The attacker’s objective is likely resale of working API keys or direct exploitation of those keys to run LLM inference at the victim’s cost. DeepSeek and OpenAI API keys map directly to billing accounts. A key exfiltrated from a developer at a company with an enterprise API account could carry significant credit limits. Depending on the key’s scope, it may also provide access to fine-tuned models, uploaded files, or organisational settings beyond basic inference.

Why Developer Tools Are a Target

This campaign is part of a broader pattern. Developers are high-value credential targets: they hold access to source repositories, cloud infrastructure, CI/CD pipelines, and increasingly, AI services with significant API spend attached. IDE plugins run with the same privileges as the IDE itself, which means a malicious plugin can in principle access far more than settings fields. In this case the attacker kept the scope narrow, but the attack surface is not.

The JetBrains Marketplace, like npm, PyPI, and other ecosystem registries, relies on a mix of automated scanning and community reporting to catch malicious submissions. The October 2025 to June 2026 window this campaign operated undetected illustrates how that model continues to lag against attacker patience.

Aikido noted that BleepingComputer verified the credential-theft code was still present in the latest versions of affected plugins at the time of publication, and confirmed the plugins were still publicly available on the Marketplace.

Immediate Steps

For individual developers:

• Revoke any DeepSeek, OpenAI, or SiliconFlow API keys entered into JetBrains plugin settings. Log into the respective provider dashboard, roll the key, and generate a fresh one.
• Check API usage logs for suspicious activity: calls from unusual IPs, unexpected model usage patterns, or billing spikes.
• Audit installed JetBrains plugins. Remove any AI assistant, code review, or Git utility plugin installed after October 2025 that you cannot trace to a verified vendor.

For security and platform teams:

• If your organisation distributes enterprise API keys for AI services, audit whether those keys are in use inside developer IDE environments and check whether any have been compromised.
• Add IDE plugin vetting to your software supply chain controls. At minimum, review plugins before approving them for enterprise use; ideally, maintain an allowlist.
• Treat AI service API keys as secrets equivalent to cloud credentials. They should never be entered into third-party UI fields. Enforce this via documented policy and, where possible, technical controls such as using proxy layers that inject keys at runtime rather than exposing them to tooling.

JetBrains has been notified. A full list of the affected plugin identifiers is available in the Aikido Security disclosure.

References

• BleepingComputer — Malicious JetBrains Marketplace plugins steal AI API keys from developers
• The Hacker News — Malicious JetBrains Plugins Steal AI API Keys as Chrome Extensions Capture Chatbot Chats
• Hackread — 15 Malicious JetBrains Plugins Caught Stealing DeepSeek, OpenAI API Keys
• Infosecurity Magazine — Fifteen JetBrains Marketplace Plugins Steal API Keys
• GBHackers — JetBrains Plugin Security Alert: 70,000+ Installs Linked to AI Key Theft