15 JetBrains Plugins With 70K Installs Caught Stealing AI Keys

Aikido Security researchers have exposed a coordinated malware campaign on the JetBrains Marketplace where 15 malicious IDE plugins with roughly 70,000 combined installations silently exfiltrated AI provider API keys from developers. The plugins posed as legitimate AI coding assistants built on DeepSeek, OpenAI, and SiliconFlow—but contained hidden credential theft functionality.

How the Attack Worked

The malicious plugins functioned as advertised, offering features like automated commit messages and AI-powered code review. But when developers entered their API keys in the plugin settings and clicked "Apply," the credentials were immediately transmitted to an attacker-controlled server at 39.107.60[.]51 over unencrypted HTTP.

The exfiltration occurred through a hidden save() method hardcoded into each plugin binary. There was no consent prompt, no notification, and no visual indicator—developers had no way to know their keys were being stolen.

Particularly troubling: the attackers also operated what appeared to be a paid tier that sent working API keys back to paying users. This suggests a business model built on reselling stolen credentials.

Campaign Timeline and Scope

The earliest malicious versions appeared in late October 2025, with new variants continuing through June 2026. This marks one of the most significant threats targeting the developer supply chain in recent months, coming just a day after researchers disclosed a massive npm supply chain attack that compromised 144 packages in the Mastra namespace. The JetBrains campaign follows a similar pattern to the Arch Linux AUR compromise that distributed rootkits through 400+ packages earlier this month.

The two most-downloaded plugins were "DeepSeek AI Assist" with 27,727 downloads and "CodeGPT AI Assistant" with 25,571 downloads. Researchers note these download counts may be artificially inflated.

All 15 plugins shared nearly identical codebases repackaged under different names across seven marketplace vendor accounts. The affected plugins include:

• DeepSeek AI Assist
• CodeGPT AI Assistant
• DeepSeek Junit Test
• AI FindBugs
• SiliconFlow Code Helper
• And 10 additional AI-themed plugins

JetBrains Response

JetBrains has purged all 15 flagged plugins from the Marketplace and permanently terminated the seven associated publisher accounts. The company also marked each plugin as "broken" in its backend architecture—a mechanism that remotely disables extensions inside any user's IDE upon the next relaunch.

For developers concerned about whether they installed one of these plugins, the automatic disabling should prevent further credential exfiltration. However, any API keys previously entered should be considered compromised and rotated immediately.

The Broader Developer Security Problem

This incident highlights an ongoing challenge: developers routinely grant powerful tools access to sensitive credentials with minimal verification. IDE plugins in particular operate with significant privileges—they can read files, execute code, and intercept user input.

Supply chain attacks targeting developers have accelerated throughout 2026. Beyond the JetBrains and npm campaigns, we've seen PyPI packages targeting AI developers with credential stealers, and NVIDIA NeMo vulnerabilities enabling code injection in AI frameworks. Attackers increasingly recognize that compromising developer tools provides a force multiplier—access to build systems, source code, and deployment pipelines.

Recommendations

Organizations using JetBrains IDEs should:

1. Audit installed plugins across all developer workstations for AI-related extensions
2. Rotate all AI provider API keys that may have been entered in any IDE plugin settings
3. Review API usage logs for OpenAI, DeepSeek, and SiliconFlow accounts to identify unauthorized usage
4. Establish plugin allowlists rather than allowing developers to install arbitrary marketplace extensions
5. Monitor network traffic for connections to suspicious endpoints, particularly unencrypted HTTP requests carrying credentials

Indicator of Compromise

The credential theft endpoint was hardcoded to:

• hxxp://39.107.60[.]51/api/software/key

Block this IP at the network perimeter and check firewall logs for any historical connections.