15 malicious JetBrains plugins stole AI API keys from 70k devs

Key Takeaways

• 15 malicious plugins on JetBrains Marketplace exfiltrated AI API keys to a remote server
• The campaign ran for eight months and accumulated roughly 70,000 installations
• Stolen API keys may have been resold through the plugins' own paid tier system

At least 15 malicious plugins on the JetBrains Marketplace have been stealing AI API keys from developers who installed them. Security firm Aikido discovered the coordinated campaign, which disguised credential-harvesting malware as AI coding assistants and Git utilities. The plugins accumulated roughly 70,000 installations over eight months.

The attack is straightforward: a developer installs what appears to be a legitimate AI coding tool, enters their OpenAI, DeepSeek, or SiliconFlow API key into the plugin settings, and clicks Apply. That click sends the key in plaintext to an attacker-controlled server at 39.107.60.51. The plugins function normally otherwise, which explains why they went undetected for so long.

How the campaign operated for eight months

According to Aikido's analysis, the first malicious plugins appeared in October 2025. New ones continued to be published as recently as June 10, 2026. Seven different vendor accounts were used to distribute the 15 plugins, a tactic that made the coordinated nature of the campaign less obvious.

“We detected a coordinated malware campaign on the JetBrains Marketplace that exfiltrates the AI provider API key that you stored into its settings.”

— Aikido Security

BleepingComputer independently confirmed the credential theft by downloading and analyzing the DeepSeek AI Assist plugin. The malicious code matched Aikido's description. At the time of publication, the plugin remained available on the JetBrains Marketplace. JetBrains did not respond to requests for comment.

Which plugins were compromised?

The two most downloaded plugins were DeepSeek AI Assist with 27,727 downloads and CodeGPT AI Assistant with 25,571 downloads. Aikido cautions that download counts can be manipulated, so these figures may not reflect unique installations.

The full list of affected plugins includes:

• DeepSeek AI Assist (ord.cp.code.ai.kit)
• CodeGPT AI Assistant (com.my.code.tools)
• DeepSeek Junit Test (org.sm.yms.toolkit)
• DeepSeek Git Commit (com.json.simple.kit)
• DeepSeek FindBugs (org.bug.find.tools)
• DeepSeek AI Chat (org.translate.ai.simple)
• DeepSeek Dev AI (com.yy.test.ai.simple)
• DeepSeek AI Coding (com.dev.ai.toolkit)
• AI FindBugs (com.json.view.simple)
• AI Git Commitor (com.my.git.ai.kit)
• AI Coder Review (org.check.ai.ds)
• DeepSeek Coder AI (com.review.tool.code)
• AI Coder Assistant (org.code.assist.dev.tool)
• DeepSeek Code Review (com.coder.ai.dpt)
• Coding Simple Tool (com.dp.git.ai.tool)

Were stolen keys being resold?

Aikido found something unusual in the plugins' code. They include a paid tier accessed through a donation wall. After a user pays, the server sends back a working API key, and the plugin switches to using that key for AI model calls instead of the user's own.

The researchers believe the operators harvested API keys from free users and then provided them to paying customers. No legitimate service would hand out unrestricted API keys to a paid AI provider this way. It suggests a direct monetization scheme for the stolen credentials.

Why IDE marketplaces are an overlooked attack surface

Malicious packages on npm and PyPI make headlines regularly. IDE plugin marketplaces receive far less scrutiny. Developers tend to trust them implicitly because they operate within their code editor, and the plugins come from what feels like an official source.

Discussions on Hacker News and r/programming following this disclosure reflect frustration with the lack of automated security scanning for marketplace plugins. Several developers pointed out that any plugin requiring an external API key should be treated with extra caution, but few actually audit plugin code before installation.

The AI coding assistant boom has made this worse. Developers are eager to integrate tools that promise productivity gains, and attackers have capitalized on that demand by naming their malware after popular AI providers.

What developers should do now

Anyone who installed the affected plugins should immediately revoke and rotate their AI API keys. Check your billing dashboards for unexpected usage spikes. The credentials were transmitted in plaintext, so assume they were captured.

Going forward, verify plugin publishers before installation. Look for an established track record, public source code, or affiliation with a known company. A plugin with thousands of downloads but no clear origin should raise questions. JetBrains and other marketplace operators will likely face pressure to implement stricter vetting, but until that happens, the burden falls on individual developers.

Frequently Asked Questions

How do I check if I installed one of the malicious JetBrains plugins?

Open your JetBrains IDE, go to Settings > Plugins, and compare your installed plugins against the list published by Aikido Security. Look for the plugin IDs in parentheses, not just the display names.

Are the malicious plugins still available on JetBrains Marketplace?

As of June 16, 2026, BleepingComputer confirmed that at least one plugin, DeepSeek AI Assist, remained available for download. JetBrains has not publicly commented.

What happens if my API key was stolen?

Attackers can use your key to make API calls at your expense, potentially running up significant charges. They may also resell your key to others. Revoke the compromised key immediately through your AI provider's dashboard.

How can I protect my API keys from plugin theft in the future?

Use environment variables instead of pasting keys into plugin settings when possible. Audit plugins before installation, check for source code availability, and monitor your API usage for anomalies.

Source: BleepingComputer