top of page

JetBrains IDE Plugins Caught Stealing AI API Keys and Sensitive Data

  • Jun 17
  • 3 min read

Key Findings


  • 15 malicious plugins discovered on JetBrains Marketplace posing as AI coding assistants, active since October 2025

  • Nearly 70,000 combined downloads with top plugins exceeding 25,000 downloads each

  • Plugins exfiltrate OpenAI, DeepSeek, and SiliconFlow API keys to attacker-controlled server over unencrypted HTTP

  • Seven different seller accounts used to distribute the malicious extensions

  • Fake five-star reviews added to increase perceived legitimacy

  • Secondary monetization scheme resells stolen API credentials to paying users

  • Concurrent discovery of two malicious Chrome extensions capturing AI chatbot conversations from major platforms


Background


The JetBrains Marketplace has become a target for coordinated supply chain attacks against software developers. Aikido Security uncovered this campaign and identified a pattern where cybercriminals distribute seemingly legitimate tools designed to enhance developer workflows. The malicious activity spans eight months, from late October 2025 through June 2026, suggesting a sustained operation with significant reach.


The Malicious Plugins


All 15 plugins were designed to impersonate AI coding assistants built on popular large language models. The identified plugins include CodeGPT AI Assistant, DeepSeek AI Assist, DeepSeek Junit Test, AI FindBugs, AI Git Commitor, and others. Each plugin offered genuine functionality like code reviews, automated commit messages, unit test generation, and bug detection to build trust with unsuspecting developers.


Infiltration Method


The malicious code operates through a deceptive setup process. Developers are prompted to enter their AI provider API keys into a settings interface as part of normal configuration. The plugins then hook into the IDE's save function, intercepting these credentials the moment users apply changes. The stolen data gets transmitted in plaintext over unencrypted HTTP connections to a static server at 39.107.60[.]51 controlled by the attackers. Crucially, this exfiltration happens silently with no permission prompts or visual warnings to alert users.


Monetization Scheme


The operators implemented a two-tier business model that generates revenue while multiplying harm to victims. Free users unknowingly have their credentials stolen. Paying users receive a functional, unrestricted API key sent from the attacker's server. Researchers believe these returned keys are likely the stolen credentials from other users, meaning original credential owners effectively fund the unauthorized compute usage while criminals profit from reselling access.


Broader Threat Landscape


IDE plugins present an attractive target for attackers because they run with elevated privileges on developer workstations without sandbox restrictions. This gives threat actors direct access to source code, cloud credentials, and authentication tokens. A similar campaign called GlassWorm successfully compromised Visual Studio Code in late 2025 using comparable techniques. Researchers advise treating marketplace plugins with the same caution as third-party code dependencies.


Chrome Extension Campaign


Concurrent with the JetBrains discovery, two malicious Chrome ad blocker extensions named Smart Adblocker and Adblock for Browser were caught capturing AI chatbot conversations. Combined, they had approximately 100,000 users. Despite presenting themselves as ad blockers using legitimate filter lists, both extensions contained custom interception engines secretly recording conversations from ChatGPT, Claude, Gemini, Copilot, Perplexity, DeepSeek, Grok, and Meta AI. This technique, called Prompt Poaching, captures non-public conversations and account metadata while the extensions were updated over several years to add AI surveillance capabilities.


Security Recommendations


Developers should verify plugin publishers and review code before installation. Treat extensions the same way as external dependencies that run with system privileges. Avoid pasting long-lived secrets like API keys into unvetted tools. Monitor API usage for unauthorized activity and rotate compromised credentials immediately. Organizations should implement strict policies around IDE plugin installation and consider blocking marketplace access where feasible.


Sources


  • https://hackread.com/malicious-jetbrains-plugins-steal-deepseek-openai-api-keys/

  • https://thehackernews.com/2026/06/malicious-jetbrains-plugins-steal-ai.html

  • https://app.daily.dev/posts/multiple-jetbrains-ide-plugins-caught-stealing-ai-keys-e0cbtefum

  • https://www.aikido.dev/blog/multiple-jetbrains-ide-plugins-caught-stealing-ai-keys

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page