At least 15 malicious plugins found in the JetBrains Marketplace are designed to steal AI API keys from developers.
The campaign, discovered by Aikido Security, includes plugins that act as AI coding assistants, code review tools, and Git resources powered by popular AI services such as OpenAI, DeepSeek, and SiliconFlow.
“We have detected a malware campaign in the JetBrains Marketplace,” Aikido warned.
“At least 15 IDE plugins, published under seven merchant accounts, share the same hidden behavior. Each one extracts the AI provider’s API key that you have stored in its settings, and together they have been installed about 70,000 times.”
According to Aikido, malicious plugins were first published in October 2025, with new plugins continuing to be published as recently as June 10, 2026.
The researchers said the plugins worked as advertised, but secretly transmitted AI API keys entered by users in the plugin’s settings back to the attackers.
According to the report, the theft occurs when a user clicks “Apply” after entering an API key, which causes the information to be sent to a hard-coded server at 39.107.60[.]51 over HTTP at this URL:
hxxp://39.107.60[.]51/api/software/keyThe researchers found that all 15 plugins shared the same code that were submitted as separate Marketplace plugins.
Aikido also got functionality that allows a remote server to issue AI API keys to paid users.
While it’s not clear where these API keys come from, Aikido speculates that plugin users may be harvesting information from free users and giving it to paid users.
“Plugins also use the paid category. After the user pays a small fee through the contribution wall built into the plugin, the server sends the API key back down to the client, and the plugin starts using that key in its model calls instead of you, which is strange, since no official operator can just give the user a valid and unrestricted key from the paid AIdo provider.
BleepingComputer downloaded and analyzed the latest version of the DeepSeek AI Assist plugin (plugin ID: ord.cp.code.ai.kit) and independently verified that it still contains the theft verification code described in the Aikido report.
At the time of writing, the plugin remained available for download via the JetBrains Marketplace.
Campaign plugins found by Aikido are:
- DeepSeek Junit Test (org.sm.yms.toolkit)
- DeepSeek Git Commit (com.json.simple.kit)
- DeepSeek FindBugs (org.bug.find.tools)
- DeepSeek AI Discussion (org.translate.ai.simple)
- DeepSeek Dev AI (com.yy.test.ai.simple)
- DeepSeek AI Coding (com.dev.ai.toolkit)
- AI FindBugs (com.json.view.simple)
- AI Git Commitor (com.my.git.ai.kit)
- AI Code Check (org.check.ai.ds)
- DeepSeek Coder AI (com.review.tool.code)
- AI Coder Assistant (org.code.assist.dev.tool)
- DeepSeek Coder Review (com.coder.ai.dpt)
- CodeGPT AI Assistant (com.my.code.tools)
- DeepSeek AI Assist (ord.cp.code.ai.kit)
- Coding Simple Tool (com.dp.git.ai.tool)
The two most downloaded plugins are DeepSeek AI Assist (27,727 downloads) and CodeGPT AI Assistant (25,571 downloads).
However, researchers caution that download statistics are subject to change and should not necessarily be taken as separate entries.
While malicious packages are often found in repositories like npm and PyPI, reports of phishing plugins distributed through the JetBrains Marketplace are more common.
BleepingComputer contacted JetBrains about the malicious plugins, but has not received a response as of publication.
Security teams penetrate 54% of successful attacks and monitor 14%. Others walk around the area without being seen.
The Picus white paper shows how breaches and attack simulations evaluate your SIEM and EDR rules so that threats stop slipping through detection.
Get a white paper
