JetBrains IDE Plugins Caught Stealing AI API Keys and Sensitive Data
- Jun 17
- 3 min read
Key Findings
15 malicious plugins discovered on JetBrains Marketplace posing as AI coding assistants, active since October 2025
Nearly 70,000 combined downloads with top plugins exceeding 25,000 downloads each
Plugins exfiltrate OpenAI, DeepSeek, and SiliconFlow API keys to attacker-controlled server over unencrypted HTTP
Seven different seller accounts used to distribute the malicious extensions
Fake five-star reviews added to increase perceived legitimacy
Secondary monetization scheme resells stolen API credentials to paying users
Concurrent discovery of two malicious Chrome extensions capturing AI chatbot conversations from major platforms
Background
The JetBrains Marketplace has become a target for coordinated supply chain attacks against software developers. Aikido Security uncovered this campaign and identified a pattern where cybercriminals distribute seemingly legitimate tools designed to enhance developer workflows. The malicious activity spans eight months, from late October 2025 through June 2026, suggesting a sustained operation with significant reach.
The Malicious Plugins
All 15 plugins were designed to impersonate AI coding assistants built on popular large language models. The identified plugins include CodeGPT AI Assistant, DeepSeek AI Assist, DeepSeek Junit Test, AI FindBugs, AI Git Commitor, and others. Each plugin offered genuine functionality like code reviews, automated commit messages, unit test generation, and bug detection to build trust with unsuspecting developers.
Infiltration Method
The malicious code operates through a deceptive setup process. Developers are prompted to enter their AI provider API keys into a settings interface as part of normal configuration. The plugins then hook into the IDE's save function, intercepting these credentials the moment users apply changes. The stolen data gets transmitted in plaintext over unencrypted HTTP connections to a static server at 39.107.60[.]51 controlled by the attackers. Crucially, this exfiltration happens silently with no permission prompts or visual warnings to alert users.
Monetization Scheme
The operators implemented a two-tier business model that generates revenue while multiplying harm to victims. Free users unknowingly have their credentials stolen. Paying users receive a functional, unrestricted API key sent from the attacker's server. Researchers believe these returned keys are likely the stolen credentials from other users, meaning original credential owners effectively fund the unauthorized compute usage while criminals profit from reselling access.
Broader Threat Landscape
IDE plugins present an attractive target for attackers because they run with elevated privileges on developer workstations without sandbox restrictions. This gives threat actors direct access to source code, cloud credentials, and authentication tokens. A similar campaign called GlassWorm successfully compromised Visual Studio Code in late 2025 using comparable techniques. Researchers advise treating marketplace plugins with the same caution as third-party code dependencies.
Chrome Extension Campaign
Concurrent with the JetBrains discovery, two malicious Chrome ad blocker extensions named Smart Adblocker and Adblock for Browser were caught capturing AI chatbot conversations. Combined, they had approximately 100,000 users. Despite presenting themselves as ad blockers using legitimate filter lists, both extensions contained custom interception engines secretly recording conversations from ChatGPT, Claude, Gemini, Copilot, Perplexity, DeepSeek, Grok, and Meta AI. This technique, called Prompt Poaching, captures non-public conversations and account metadata while the extensions were updated over several years to add AI surveillance capabilities.
Security Recommendations
Developers should verify plugin publishers and review code before installation. Treat extensions the same way as external dependencies that run with system privileges. Avoid pasting long-lived secrets like API keys into unvetted tools. Monitor API usage for unauthorized activity and rotate compromised credentials immediately. Organizations should implement strict policies around IDE plugin installation and consider blocking marketplace access where feasible.
Sources
https://hackread.com/malicious-jetbrains-plugins-steal-deepseek-openai-api-keys/
https://thehackernews.com/2026/06/malicious-jetbrains-plugins-steal-ai.html
https://app.daily.dev/posts/multiple-jetbrains-ide-plugins-caught-stealing-ai-keys-e0cbtefum
https://www.aikido.dev/blog/multiple-jetbrains-ide-plugins-caught-stealing-ai-keys

Comments