"They function exactly as advertised. However, the AI provider API key you enter gets exfiltrated to a server controlled by the attacker," Aikido Security researcher Ilyas Makari said.
Aikido Security's findings on JetBrains Marketplace plugins
Cybersecurity researchers at Aikido Security have identified a coordinated campaign on the JetBrains Marketplace that has published at least 15 plugins designed to look like AI coding assistants but that also steal API keys users paste into their settings. The activity dates back to the end of October 2025, and new malicious plugins were still being released as recently as June 10, 2026.
All 15 plugins "share a similar codebase," Aikido said, and require users to open the settings panel and enter an API key for AI services such as OpenAI, SiliconFlow, or DeepSeek. The plugins deliver the advertised features—chat, commit messages, code review, bug finding and unit tests—while covertly sending the entered API keys to an attacker-controlled server.
- DeepSeek Junit Test (org.sm.yms.toolkit)
- DeepSeek Git Commit (com.json.simple.kit)
- DeepSeek FindBugs (org.bug.find.tools)
- DeepSeek AI Chat (org.translate.ai.simple)
- DeepSeek Dev AI (com.yy.test.ai.simple)
- DeepSeek AI Coding (com.dev.ai.toolkit)
- AI FindBugs (com.json.view.simple)
- AI Git Commitor (com.my.git.ai.kit)
- AI Coder Review (org.check.ai.ds)
- DeepSeek Coder AI (com.review.tool.code)
- AI Coder Assistant (org.code.assist.dev.tool)
- DeepSeek Code Review (com.coder.ai.dpt)
- CodeGPT AI Assistant (com.my.code.tools)
- DeepSeek AI Assist (ord.cp.code.ai.kit)
- Coding Simple Tool (com.dp.git.ai.tool)
Technical mechanism: plaintext exfiltration to 39.107.60[.]51
Aikido traced the data flow to a clear-text HTTP endpoint hosted at 39.107.60[.]51. When a user supplies an API key in a plugin settings panel, the plugin makes an HTTP request that contains the key in plaintext and forwards it to that server. The exfiltrated keys are then usable by the attacker and, according to Aikido, by anyone the operator chooses to share them with.
The plugins also implement a paid tier. Aikido wrote that "after a user pays a small fee through the donation wall built into the plugin, the server sends an API key back down to the client, and the plugin starts using that key for its model calls instead of your own," an action the company described as anomalous given that "no legitimate operator would simply hand a user a working and unrestricted key to a paid AI provider."
Makari framed the apparent business model bluntly: "The operator collects money on one side and free credentials on the other, while the genuine key owners pay the bill."
PromptSnatcher: Chrome ad blockers that harvest AI chats
Running in parallel to the JetBrains campaign, security researcher Jean-Marie R. documented a separate operation codenamed PromptSnatcher in which two Google Chrome extensions posed as ad blockers while intercepting users' conversations with AI chatbots. The two extensions remain available on the Chrome Web Store and are named Smart Adblocker (ID: iojpcjjdfhlcbgjnpngcmaojmlokmeii) with roughly 90,000 users and Adblock for Browser (ID: jcbjcocinigpbgfpnhlpagidbmlngnnn) with about 10,000 users.
Jean-Marie R. reported that "while presented as ad blockers, the extensions ship a custom-built interception engine that records non-public conversations, model usage, and account-tier metadata from every major AI platform (ChatGPT, Claude, Gemini, and others)." The researcher added that the operation uses legitimate public filter lists—EasyList and IDCAC—as cover, providing genuine ad-blocking utility while also running "an undisclosed telemetry channel."
The intercepted platforms named in the report include OpenAI ChatGPT, Anthropic Claude, Google Gemini, Microsoft Copilot, Perplexity, DeepSeek, xAI Grok, and Meta AI. The extensions capture full conversation history, model usage, and subscription tier, and transmit that data to operator-controlled infrastructure without clear user notification beyond a vague "Enhanced Protection" consent string. Whether these practices violate Google's extension policies was described in the report as unclear.
How the campaign fits an emerging threat model
Aikido framed the JetBrains activity as further evidence that "threat actors are increasingly targeting developer environments through the open-source ecosystem," a trend the company attributes to the presence of source code, cloud credentials, signing keys, and API keys inside developer tools. The report links the stolen AI keys to potential resale or reshare in LLMjacking-style schemes, turning legitimate developer accounts into unwitting billing sources for attackers and their customers.
"Treat a plugin the same way you would treat any dependency that runs with your privileges, and be cautious about pasting long-lived secrets into tools you have not vetted," Aikido advised.
What this means for developers, procurement teams, and end users
- Developers and security teams: The immediate risk is credential theft through trusted-looking tooling. The campaign demonstrates that a plugin can provide useful features while exfiltrating secrets; teams must vet plugins and avoid pasting long-lived API keys into unvetted extensions.
- Procurement and platform owners: Marketplace operators and extension platforms will need to scrutinize packages that request secrets or offer paid tiers delivering keys; download counts and longevity in a store are not proof of safety—Aikido noted download figures can be inflated and that the Chrome extensions had been present for years before the AI-capture features appeared.
- End users of AI chat services: Browser extensions can capture full conversation histories and subscription-tier metadata across multiple AI platforms, according to Jean-Marie R. Users should be aware that an extension offering a legitimate utility like ad blocking may still collect sensitive non-public material.
The two investigations together sketch a simple but potent business model: steal long-lived credentials from developers, then monetize them either by selling access or by letting paying customers use the purloined API keys. The facts reported by Aikido Security and Jean-Marie R. leave concrete questions unanswered—most notably whether marketplace operators will remove the flagged plugins and extensions, and how broadly stolen keys have been reused—but they do provide a clear, immediate warning: useful tooling can mask active credential theft, and the exfiltrated data often flows to plainly visible infrastructure such as 39.107.60[.]51.
