A technical analysis from Aikido Security says 15 malicious JetBrains Marketplace plugins have been used since late October 2025 to steal AI provider API keys, with new releases appearing as recently as June 10, 2026.
KEY FACTS
- Campaign 15 plugins posed as AI coding assistants and asked users to enter keys for services such as OpenAI, SiliconFlow and DeepSeek.
- Method The software sent keys to a server at 39.107.60.51 over plaintext HTTP.
- Distribution Two plugins, CodeGPT AI Assistant and DeepSeek AI Assist, each had more than 25,000 downloads.
- Monetization A paid tier reportedly returned an API key to the client after a donation wall payment.
The report said the plugins functioned as advertised, including chat, code review, bug finding, commit messages and unit tests. It said the malicious code was hidden in a shared codebase that all 15 plugins used.
Researchers said the campaign began at the end of October 2025 and continued through this month. They also said the download counts for the two most popular plugins may not be authentic, and could have been inflated to make them appear more credible.
The disclosure said the operator may be sharing stolen keys with other threat actors as part of an illicit resale scheme. It said the genuine owners of the credentials would be left to pay the bills while attackers collected money from users seeking access.
The findings add to a wider pattern of attacks on developer tools and extension ecosystems, where trusted software can expose source code, cloud credentials and paid AI keys. Aikido Security urged users to treat plugins like any other dependency that runs with their privileges and to avoid entering long-lived secrets into unvetted tools.
WHY IT MATTERS
The case shows how a plugin that appears useful can still exfiltrate sensitive credentials from software developers. It also highlights the risk that AI keys and other secrets stored in development tools can be copied and resold without the victim noticing.