15 Malicious JetBrains Marketplace Plugins Steal AI API Keys from Developers
A coordinated malware campaign on the JetBrains Marketplace has deployed at least 15 malicious IDE plugins that steal AI API keys from developers, with nearly 70,000 total downloads.
Security researchers at Aikido Security have uncovered a coordinated malware campaign on the JetBrains Marketplace involving at least 15 malicious plugins designed to steal AI API keys from developers. The plugins, which impersonate legitimate AI coding assistants, code-review tools, and Git utilities, have been downloaded nearly 70,000 times since October 2025, with new malicious plugins still being published as recently as June 10, 2026.
The plugins function as advertised, providing AI-powered features, but secretly exfiltrate API keys entered by users into the plugin settings. When a user clicks "Apply" after entering an API key for services like OpenAI, DeepSeek, or SiliconFlow, the credential is transmitted over HTTP to a hardcoded server at 39.107.60[.]51 via the URL hxxp://39.107.60[.]51/api/software/key. BleepingComputer independently confirmed that the latest version of the DeepSeek AI Assist plugin still contains this credential theft code.
Aikido researchers discovered that all 15 plugins share similar malicious code, submitted under seven different vendor accounts. The two most downloaded plugins are DeepSeek AI Assist (27,727 downloads) and CodeGPT AI Assistant (25,571 downloads). However, researchers warn that download counts can be manipulated and may not represent unique installations. The full list of malicious plugins includes DeepSeek Junit Test, DeepSeek Git Commit, DeepSeek FindBugs, DeepSeek AI Chat, DeepSeek Dev AI, DeepSeek AI Coding, AI FindBugs, AI Git Commitor, AI Coder Review, DeepSeek Coder AI, AI Coder Assistant, DeepSeek Code Review, CodeGPT AI Assistant, DeepSeek AI Assist, and Coding Simple Tool.
A particularly unusual aspect of the campaign is that the plugins also offer a paid tier. After a user pays a small fee through a donation wall built into the plugin, the remote server sends an AI API key back to the client, which the plugin then uses for model calls instead of the user's own key. Aikido theorizes that the operators may be harvesting credentials from free users and then providing them to paying customers, noting that no legitimate operator would hand out unrestricted keys to paid AI providers.
The campaign highlights a growing threat vector targeting developer tools. While malicious packages are commonly discovered on repositories such as npm and PyPI, reports of credential-stealing plugins distributed through the JetBrains Marketplace are far less common. JetBrains has removed the plugins and is investigating the incident, though BleepingComputer noted that at the time of writing, the DeepSeek AI Assist plugin remained available for download. BleepingComputer contacted JetBrains for comment but did not receive a response.
Developers who have installed any of these plugins should immediately rotate their AI API keys and review their accounts for unauthorized usage. The incident underscores the importance of vetting IDE plugins carefully, even those available through official marketplaces, as supply-chain attacks increasingly target the software development lifecycle.