Emerging ThreatsMalware & Ransomware

Malicious JetBrains plugins steal AI API keys

Analyst 207||Source: BleepingComputer
Developer workstation with laptop and monitor, surrounded by notes and coffee cups, in a modern office with natural light.

"We detected a coordinated malware campaign on the JetBrains Marketplace," warns Aikido Security — a short sentence that sums up a broad and quietly dangerous operation: at least 15 integrated development environment (IDE) plugins that pretend to help developers while siphoning off the very AI API keys those developers supply.

Aikido Security's findings and timeline

Aikido Security reported the campaign to BleepingComputer and to the public, saying the set of malicious plugins was published under seven vendor accounts and "share the same hidden behavior." According to Aikido, the group of plugins has been installed close to 70,000 times in aggregate. The first of the plugins appeared in October 2025, and new plugins continued to be added as recently as June 10, 2026.

How the plugins steal AI API keys

All 15 plugins present themselves as useful tools — AI coding assistants, code-review utilities and Git helpers — and claim to be powered by services named in the reporting, including OpenAI, DeepSeek and SiliconFlow. Aikido found that the plugins operate as advertised on the surface but contain hidden code that exfiltrates credentials.

The theft occurs when a user enters an API key into a plugin's settings and clicks "Apply." At that moment the credential is sent over HTTP to a hardcoded server at 39.107.60[.]51 using the endpoint hxxp://39.107.60[.]51/api/software/key. Aikido reports that all 15 plugins share similar code responsible for this behavior.

Paid-tier behavior and Aikido's theory about reselling keys

Aikido's analysis also uncovered a server-side mechanism that supplies API keys back to paid users of the plugins. The researchers observed a "donation wall" built into the plugin: after a user pays a small fee, the remote server can send an API key to the client, and the plugin switches to using that provided key for model calls rather than the user's own key.

Aikido commented on this arrangement: "The plugins also run a paid tier. After a user pays a small fee through the donation wall built into the plugin, the server sends an API key back down to the client, and the plugin starts using that key for its model calls instead of your own, which is bizarre, since no legitimate operator would simply hand a user a working and unrestricted key to a paid AI provider." The researchers theorize that operators may be harvesting keys from free users and provisioning them to paid users, though the source of the supplied keys is not definitively established in the report.

Affected plugins, downloads, and independent confirmation

Aikido published a list of the 15 Marketplace packages that exhibit the shared malicious behavior. The plugins identified are:

  • DeepSeek Junit Test (org.sm.yms.toolkit)
  • DeepSeek Git Commit (com.json.simple.kit)
  • DeepSeek FindBugs (org.bug.find.tools)
  • DeepSeek AI Chat (org.translate.ai.simple)
  • DeepSeek Dev AI (com.yy.test.ai.simple)
  • DeepSeek AI Coding (com.dev.ai.toolkit)
  • AI FindBugs (com.json.view.simple)
  • AI Git Commitor (com.my.git.ai.kit)
  • AI Coder Review (org.check.ai.ds)
  • DeepSeek Coder AI (com.review.tool.code)
  • AI Coder Assistant (org.code.assist.dev.tool)
  • DeepSeek Code Review (com.coder.ai.dpt)
  • CodeGPT AI Assistant (com.my.code.tools)
  • DeepSeek AI Assist (ord.cp.code.ai.kit)
  • Coding Simple Tool (com.dp.git.ai.tool)

Two plugins account for the majority of reported downloads: DeepSeek AI Assist (27,727 downloads) and CodeGPT AI Assistant (25,571 downloads). The researchers caution, however, that download counts can be manipulated and should not be interpreted strictly as unique installations.

BleepingComputer independently downloaded and analyzed the latest version of DeepSeek AI Assist (plugin ID ord.cp.code.ai.kit) and confirmed the presence of the credential-theft code. At the time of publication the DeepSeek AI Assist plugin remained available for download on the JetBrains Marketplace. BleepingComputer said it contacted JetBrains about the malicious plugins but had not received a response as of publication.

What this means for developers, JetBrains, and security teams

  • Developers and IDE users: the campaign directly targets credentials entered into plugin settings; keys supplied to affected plugins were observed being transmitted to a single hardcoded server address. Any developer who used one of the listed plugins and entered an AI provider key is potentially exposed to credential theft according to the reporting.
  • JetBrains (the Marketplace operator): BleepingComputer reached out to JetBrains and reported no response as of publication. The presence of multiple malicious packages across seven vendor accounts raises questions about Marketplace publisher screening and response processes described in the public reporting.
  • Security teams and incident responders: Aikido notes that credential-stealing plugins on the JetBrains Marketplace are less commonly reported than malicious packages on repositories such as npm and PyPI, marking this as a noteworthy campaign vector for defenders monitoring developer-tooling supply chain risk.

The record published by Aikido and independently confirmed by BleepingComputer establishes a clear pattern: a coordinated set of plugins that work in public while exfiltrating the keys that power their private functionality. With the plugins still available on the Marketplace at the time of reporting and a vendor response pending, the immediate unanswered questions include how many individual keys were collected, how those keys were used, and whether the Marketplace publisher has disabled the listed packages.

Source: BleepingComputer — Malicious JetBrains Marketplace plugins steal AI API keys from developers

Developer ToolsEmerging ThreatsSupply ChainMalware OperationsJetbrainsAI API KeysIDE PluginsAPI Credential Theft
Related Intelligence

Continue Reading

Developer workstation with code review on laptop, terminal and phone nearby, under natural daylight.

AI Code Review Foils Malicious npm Supply Chain Attack

When Roman Imankulov asked his local AI agent to vet a suspicious code repository, it swiftly warned him away, saying "Don't run this code, just walk away - there's a trap." This near-instant response likely saved Imankulov from a malicious npm supply chain attack.

Analyst 207
Person holding smartphone with blank screen in public setting.

Rokarolla Malware Targets 217 Banking and Crypto Apps

Beware: the Rokarolla malware is targeting 217 banking and crypto apps, allowing hackers to seize near-total control of your Android phone. It disguises itself as legitimate apps, often sneaking in through malicious websites offering fake Chrome or TikTok downloads.

Analyst 207
Dimly lit university office with laptop, papers, and books, hinting at secretive activity.

ClickFix Campaigns Leverage New Loaders in Malware Delivery Push

Meet the BabaDeda Loader, a stealthy malware framework that's evolved to deliver a wider range of threats, including information stealers and remote access trojans, with alarming effectiveness. This revamped loader combines multiple evasion techniques to target vulnerable organizations, particularly in education and finance.

Analyst 207
Police officer surveils individual through Flock camera system in dimly lit area.

Police Misuse Flock Cameras for Illegal Stalking

Police officers across the US have been caught misusing Flock surveillance cameras to obsessively and illegally stalk over a dozen individuals nationwide. This shocking abuse of power raises serious concerns about the protection of citizens' privacy and safety.

Analyst 207