Emerging ThreatsMalware & Ransomware

Malicious Plugins Exfiltrate AI API Keys on JetBrains Marketplace

Analyst 207||Source: InfoSecMag
Developer workstation with laptop, monitor, and notes in a bright office setting.

“Every plugin poses as an AI coding assistant built on DeepSeek and other large language models, offering chat, commit messages, code review, bug finding, and unit tests,” Aikido Security warned in its report on a coordinated campaign that has quietly preyed on developers.

Malicious plugins found on the JetBrains Marketplace

Security researchers at Aikido Security identified at least 15 integrated development environment (IDE) plugins on the JetBrains Marketplace that contain code designed to steal developers’ AI-provider API keys. The plugins have collectively been installed around 70,000 times and — Aikido says — slipped past the marketplace’s security checks. The earliest of the malicious packages dates back to October 2025, with new, similar plugins appearing as recently as June 2026.

The add-ons adopt user-facing names such as “DeepSeek Git Commit” and “AI Coder Review.” On their face they behave like legitimate AI coding assistants, providing features developers expect: chat, commit-message generation, code review, bug finding, and unit test generation. That functionality, Aikido reports, is part of what allowed the plugins to remain live and continue collecting users.

How the plugins exfiltrate API keys

Aikido’s analysis describes a simple, immediate exfiltration flow embedded in each plugin’s settings panel. To operate, the plugins ask users to paste an API key for an AI provider — examples named by Aikido include OpenAI, SiliconFlow, and DeepSeek. Because the plugin must call the model on behalf of the user, entering a key appears routine.

But the moment the user clicks Apply, the settings handler stores the key locally and also forwards it to a server controlled by the attacker using the plugin’s save() method. Aikido notes the call “fires immediately on key entry, with no prompt, no consent screen, and no mention anywhere in the user interface.” In other words: the UI behaves normally while a concealed network call hands credentials to the operator.

Monetization hypothesis: reselling stolen API access

Aikido did not identify a single definitive end goal, but outlined two plausible commercial motivations. API keys that grant paid access to AI services can be used directly for compute, or they can be resold. Aikido leans toward resale as the likely model in this campaign because the malicious plugins include a paid tier.

According to the report, the plugins implement a small payment via a built-in donation wall; after payment, the user apparently receives an API key from the operator’s server to make “free” calls to the model. Aikido hypothesizes those server-supplied keys could be credentials exfiltrated from victims — transforming the campaign into a service that resells stolen API access. “The operator collects money on one side and free credentials on the other, while the genuine key owners pay the bill,” Aikido wrote.

Why IDEs are a valuable target

Aikido highlighted several structural reasons developers’ toolchains are attractive to attackers. IDEs are typically trusted by users and left open all day, which provides a persistent execution environment for malicious code. More critically, IDEs often have access to a developer’s workspace, including source code, cloud credentials, signing keys, and API keys — all of which are valuable to an operator who gains silent access.

What this means for developers, marketplace operators, and attackers

  • Developers and security teams: Be aware that plugins may request provider API keys for services such as OpenAI, SiliconFlow, and DeepSeek; Aikido has shared indicators of compromise (IoCs) in its blog post, which the report recommends consulting to determine whether a given installation is affected.
  • Marketplace operators and procurement leaders: These plugins evaded marketplace checks before widespread installation, spotlighting the risk that malicious code can be packaged inside otherwise functional tooling. The presence of paid tiers tied to server-provisioned API keys may warrant closer scrutiny of monetization flows.
  • Adversaries and operators: The campaign illustrates a pragmatic criminal playbook: provide useful functionality to attract users, then convert stolen credentials into a revenue stream — either through resale of keys or by shifting usage costs to victims.

Aikido has published technical details and the IoCs accompanying its findings; its analysis frames the central questions that remain: who is operating the server-side infrastructure, and whether marketplace controls and developer practices will adapt quickly enough to stop credential siphoning. The original report is available from Infosecurity Magazine at the link below.

https://www.infosecurity-magazine.com/news/fifteen-jetbrains-marketplace/

DeepseekDeveloper ToolsEmerging ThreatsLarge Language ModelsSupply ChainAikido SecurityAI API KeysMalicious PluginsJetbrains MarketplaceAPI Key Exfiltration
Related Intelligence

Continue Reading

Cluttered room with stacked laptops and equipment, cables visible through laptop screen.

North Korean Hiring Scam Exposed with AI, US Laptop Farms

Meet the ingenious AI-powered sting operation that busted a North Korean hiring scam, exposing a massive laptop farm churning out fake remote IT workers. A suspicious resume sparked the investigation, leading to a shocking discovery of a closet full of machines impersonating candidates for Western companies.

Analyst 207
Rows of equipment racks and networking gear in a brightly-lit server room.

FortiBleed Exposes 73,000 Fortinet VPN Credentials Worldwide

A massive security breach has exposed a whopping 73,000 Fortinet VPN credentials worldwide, putting tens of thousands of firewall endpoints at risk, including those of major companies like Chevron, Samsung, and Mercedes-Benz. The alarming leak, discovered by security researcher Bob Diachenko, contains sensitive information like usernames, email addresses, and plaintext passwords.

Analyst 207
Cloud computing setup with laptop and servers in a bright office, hint of phishing activity.

GitHub Phishing Kit Targets Mexican Banks via Cloud Services

A sneaky GitHub phishing kit called "GitBait" has been targeting customers of 12 Mexican banks for three years, cleverly using cloud services like GitHub Pages and Google Sheets to stay under the radar. This cunning operation relied on over 100 GitHub-hosted domains to steal credentials, making it a challenging case for investigators.

Analyst 207
Cybersecurity team members look concerned and overwhelmed while analyzing data on a large screen.

AI-Powered Attacks Exacerbate Alert Fatigue in Cybersecurity Teams

Cybersecurity teams are drowning in data, but struggling to turn it into action - and AI-powered attacks are making alert fatigue worse. With AI-powered attacks topping the list of concerns for 41% of cybersecurity leaders, it's clear that teams need a new approach to stay ahead.

Analyst 207