Aikido Security found 15 JetBrains Marketplace plugins that copied AI provider keys from IDE settings and sent them to an attacker-controlled server.
Aikido Security researchers found 15 malicious plugins on the JetBrains Marketplace that stole AI API keys from developers using JetBrains IDEs.
The plugins posed as AI coding assistants, code review tools and Git utilities for services such as OpenAI, DeepSeek and SiliconFlow. Aikido said seven vendor accounts published the plugins, which drew close to 70,000 downloads.
Aikido said the operators published the first plugins in October 2025 and added new ones as late as June 10, 2026. The tools gave developers the advertised AI features, then copied keys after a user entered a credential in the plugin settings and clicked “Apply.”
Researchers traced the exfiltration to a hardcoded HTTP endpoint at 39.107.60[.]51. The plugins sent the stored key to /api/software/key, exposing credentials that could let attackers run paid model calls, inspect usage patterns or drain developer accounts.
BleepingComputer said it downloaded the DeepSeek AI Assist plugin, identified as ord.cp.code.ai.kit, and confirmed the credential theft code in the current version. The plugin still appeared on the marketplace at publication time, according to the report.
The campaign included DeepSeek Junit Test, DeepSeek Git Commit, DeepSeek FindBugs, DeepSeek AI Chat, DeepSeek Dev AI, DeepSeek AI Coding, AI FindBugs, AI Git Commitor, AI Coder Review, DeepSeek Coder AI, AI Coder Assistant, DeepSeek Code Review, CodeGPT AI Assistant, DeepSeek AI Assist and Coding Simple Tool.
DeepSeek AI Assist led the group with 27,727 downloads. CodeGPT AI Assistant followed with 25,571. Aikido cautioned that attackers can inflate marketplace counts, so security teams should treat those numbers as exposure signals rather than confirmed installs.
Aikido also found a paid tier inside the plugins. After users paid through the donation flow, the server sent an API key back to the client, and the plugin used that key for model calls. Aikido said that pattern suggests the operators may have recycled keys stolen from free users and handed them to paying users.
The incident shows a supply chain path that many teams still miss. Developers often inspect npm and PyPI packages before use, but IDE plugins sit closer to source code, credentials and local project context. A malicious plugin can read settings, watch developer actions and blend into normal coding work.
Security teams should inventory JetBrains plugins across managed machines, remove the listed plugins and rotate any AI provider keys entered into them. Teams should also check provider billing logs for odd usage, block the reported IP address and review outbound IDE traffic for plain HTTP calls to unknown hosts.
Developers should avoid entering production API keys into IDE extensions unless the vendor documents key storage, network behavior and source code. Use scoped keys where the provider supports them, set spend limits, and store credentials in a dedicated secret manager instead of plugin settings.
JetBrains users can review installed plugins through the IDE settings page or the JetBrains plugin directory. Teams that manage developer workstations should enforce an approved plugin list, log plugin installation events and require review for tools that request API keys.
Aikido’s findings also fit a larger pattern in AI developer tooling. Coding assistants need access to prompts, files and credentials, so attackers gain value when they compromise extensions that developers trust. Marketplace review can reduce risk, but teams still need local controls because attackers can ship working features while hiding credential theft in routine settings code.
Comments
Please log in or register to join the discussion