Key Findings 15 malicious plugins discovered on JetBrains Marketplace posing as AI coding assistants, active since October 2025 Nearly 70,000 combined downloads with top plugins exceeding 25,000 downloads each Plugins exfiltrate OpenAI, DeepSeek, and SiliconFlow API keys to attacker-controlled server over unencrypted HTTP Seven different seller accounts used to distribute the malicious extensions Fake five-star reviews added to increase perceived legitimacy Secondary monetiza