15 Malicious JetBrains Plugins Caught Stealing AI API Keys from Developers

Cybersecurity researchers at Aikido Security have uncovered a coordinated malware campaign on the JetBrains Marketplace involving at least 15 malicious plugins designed to steal artificial intelligence provider API keys from unsuspecting developers. Disguised as legitimate AI coding assistants built on DeepSeek and other large language models, the plugins offer chat functionality, commit message generation, code review, bug finding, and unit tests. They perform as advertised, but covertly exfiltrate any AI provider API keys entered by users to an attacker-controlled server at IP address 39.107.60[.]51 over plaintext HTTP requests. The campaign has been active since late October 2025, with new malicious plugins appearing as recently as June 10, 2026. Two of the plugins, CodeGPT AI Assistant and DeepSeek AI Assist, have each accumulated more than 25,000 downloads, though researchers note these figures may have been artificially inflated to lend credibility.

Aikido Security researcher Ilyas Makari explained that all 15 plugins share a similar codebase and require users to enter an API key for services such as OpenAI, SiliconFlow, or DeepSeek to unlock the promised features. The exfiltration is hidden in the background, making it difficult to detect during normal use. Notably, the plugins also offer a paid tier via a built-in donation wall. After receiving a small payment, the server returns a working API key to the client, which the plugin then uses in place of the user's own key, effectively monetizing stolen credentials by granting paying customers access to victim-funded AI resources. Security teams investigating similar infrastructure can use a WHOIS lookup to trace ownership of suspicious IP addresses and a port scanner to identify exposed services on attacker infrastructure.

The monetization model suggests the operators are distributing stolen API keys to other threat actors as part of a broader illicit service, with original key owners unwittingly footing the bill for AI usage. "The operator collects money on one side and free credentials on the other, while the genuine key owners pay the bill," Makari said. The full list of malicious plugins includes DeepSeek Junit Test, DeepSeek Git Commit, DeepSeek FindBugs, DeepSeek AI Chat, DeepSeek Dev AI, DeepSeek AI Coding, AI FindBugs, AI Git Commitor, AI Coder Review, DeepSeek Coder AI, AI Coder Assistant, DeepSeek Code Review, CodeGPT AI Assistant, DeepSeek AI Assist, and Coding Simple Tool. Developers who have installed any of these plugins are urged to immediately rotate their API keys and audit usage logs for unauthorized access. To check whether credentials have appeared in known leaks, use the password checker and run a full privacy checkup on your development environment.