Malicious JetBrains IDE Plugins Caught Stealing AI API Keys From Developers
7 min. read 
Published on
At least 15 malicious JetBrains IDE plugins were found stealing AI provider API keys from developers after appearing on the JetBrains Marketplace as coding assistants, code review tools, and Git utilities.
The plugins were published under seven vendor accounts and were installed close to 70,000 times, according to Aikido Security. They claimed to support services such as OpenAI, DeepSeek, and SiliconFlow, while secretly sending user-entered API keys to an attacker-controlled server.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The campaign is especially risky because the plugins appeared to work as advertised. Developers could use them for AI chat, commit messages, code review, bug detection, code generation, and unit tests, which made the hidden theft harder to spot during normal use.
How the JetBrains Plugin Campaign Worked
The malicious plugins followed the same basic pattern. A developer installed a plugin, opened its settings, and entered an API key so the tool could connect to an AI provider.
The theft happened when the developer clicked Apply. The plugin saved the key locally, then silently sent it to a hardcoded server at 39.107.60[.]51 over plaintext HTTP.
BleepingComputer reported that the plugins were designed to steal AI API keys and noted that the affected tools were disguised as AI coding assistants, code review tools, and Git utilities.
| Campaign detail | What researchers found | Why it matters |
|---|---|---|
| Number of plugins | At least 15 | The campaign used multiple listings instead of one obvious malicious plugin |
| Vendor accounts | Seven accounts | The operators spread risk across several publisher names |
| Reported installs | Close to 70,000 | The real number of affected developers may differ because download counts can be manipulated |
| Targeted secrets | OpenAI, DeepSeek, and SiliconFlow API keys | Stolen keys can create billing abuse, data exposure, and unauthorized AI usage |
| C2 indicator | 39.107.60[.]51 | The plugins sent stolen keys to a hardcoded server |
The Plugins Looked Legitimate Enough to Trust
The campaign did not rely on a plugin that immediately looked broken or suspicious. The tools offered useful developer features and returned working AI responses, which helped them blend into normal workflows.
Aikido found that all 15 plugins shared a similar codebase that had been renamed and repackaged under different plugin names. The malicious logic sat inside the settings handler, where users would normally expect the plugin to store an API key.
The server also appeared to support a paid tier. After payment, the plugin could receive an API key from the attacker-controlled server and use that key instead of the user’s own key. Researchers said this may point to a scheme where stolen API keys from one group of users were supplied to another group of paying users.
Affected JetBrains Plugins and Vendor Accounts
The affected plugins were published under names that made them look like normal AI coding tools. Some focused on DeepSeek branding, while others used broader names such as CodeGPT AI Assistant or Coding Simple Tool.
The two largest listings in Aikido’s data were DeepSeek AI Assist with 27,727 downloads and CodeGPT AI Assistant with 25,571 downloads. Researchers warned that these numbers should not be treated as confirmed unique victims.
The vendor accounts named by researchers were CodePilot, StackSmith, CodeCrafter, CodeWeaver, JetCode, DailyCode, and ZenCoder.
| Plugin name | Plugin ID | Reported downloads |
|---|---|---|
| DeepSeek Junit Test | org.sm.yms.toolkit | 1,121 |
| DeepSeek Git Commit | com.json.simple.kit | 1,894 |
| DeepSeek FindBugs | org.bug.find.tools | 1,485 |
| DeepSeek AI Chat | org.translate.ai.simple | 1,317 |
| DeepSeek Dev AI | com.yy.test.ai.simple | 740 |
| DeepSeek AI Coding | com.dev.ai.toolkit | 450 |
| AI FindBugs | com.json.view.simple | 623 |
| AI Git Commitor | com.my.git.ai.kit | 301 |
| AI Coder Review | org.check.ai.ds | 735 |
| DeepSeek Coder AI | com.review.tool.code | 3,498 |
| AI Coder Assistant | org.code.assist.dev.tool | 319 |
| DeepSeek Code Review | com.coder.ai.dpt | 278 |
| CodeGPT AI Assistant | com.my.code.tools | 25,571 |
| DeepSeek AI Assist | ord.cp.code.ai.kit | 27,727 |
| Coding Simple Tool | com.dp.git.ai.tool | 3,931 |
Why IDE Plugins Are a High-Value Target
Developer environments contain sensitive data. An IDE may have access to source code, project files, local configuration files, cloud credentials, signing material, and AI provider keys.
That makes IDE plugins attractive for supply chain attacks. A plugin runs inside a trusted tool that developers keep open for hours, and it can interact with project data and network services during normal work.
JetBrains says in its Marketplace approval guidelines that new plugins and plugin updates go through verification and approval, including automated checks and manual review before publication.
Manual Review Did Not Stop the Hidden Key Theft
The campaign shows how small malicious functions can hide inside otherwise useful developer tools. A plugin can pass basic functionality checks because the visible AI features still work.
The malicious behavior activates at a sensitive moment, when the user saves an API key. Since many AI plugins legitimately need provider keys, the request itself may not look unusual to the developer.
JetBrains’ approval criteria say plugins must not introduce security vulnerabilities or privacy issues and must ask explicit permission when collecting or transferring personal, statistical, or telemetry data. Secretly exfiltrating an API key would violate that expectation.
Developers Should Revoke Exposed AI Keys Immediately
Any developer who installed one of the affected plugins should remove it, revoke the exposed AI provider key, create a new key, and review account usage for suspicious activity.
OpenAI’s API key safety guidance says keys should not be shared, should not be committed to repositories, and should be stored securely through environment variables or a key management service.
The same guidance says users should rotate a key immediately if they believe it has leaked. Developers should also check billing dashboards for unusual token usage, failed requests, unexpected models, or usage from unfamiliar environments.
- Uninstall any affected JetBrains plugin from all IDEs.
- Revoke API keys entered into those plugins.
- Create new keys with the minimum permissions needed.
- Review AI provider billing and usage logs.
- Search endpoint logs for connections to 39.107.60[.]51.
- Audit installed IDE plugins across developer workstations.
- Block unapproved plugins through enterprise endpoint or device management tools.
Organizations Need Stronger Plugin Governance
Security teams should treat IDE plugins as software dependencies, not small user preferences. A malicious plugin can create the same business risk as a compromised package, browser extension, or CI/CD tool.
Companies should keep an inventory of installed developer plugins, approve trusted publishers, restrict unverified tools, and require security review before developers enter long-lived secrets into extensions.
BleepingComputer’s analysis also noted that reports of credential-stealing plugins on the JetBrains Marketplace are less common than malicious packages on npm or PyPI, which may make this campaign more notable for developer security teams.
AI API Keys Are Now a Supply Chain Target
The campaign highlights a growing shift in developer-focused attacks. As AI coding tools become part of daily engineering work, API keys for OpenAI, DeepSeek, SiliconFlow, and similar services become valuable credentials.
Attackers can use stolen AI keys to consume paid quota, resell access, hide their own costs, or test malicious automation at the victim’s expense. For teams, the damage can include unexpected bills, disrupted API access, and possible exposure of sensitive prompts or code fragments sent through compromised tools.
Developers should follow API key safety best practices, use short-lived or scoped credentials where possible, and avoid entering production secrets into plugins that have not been reviewed by their organization.
FAQ
Researchers found at least 15 JetBrains Marketplace plugins that posed as AI coding tools while stealing AI provider API keys entered into their settings. The plugins were published under seven vendor accounts and had close to 70,000 reported installs.
The campaign targeted AI provider keys entered into the plugins, including keys for services such as OpenAI, DeepSeek, and SiliconFlow.
The plugins stole keys when users clicked Apply in the settings panel. The key was sent to a hardcoded attacker-controlled server at 39.107.60[.]51 over plaintext HTTP.
Developers should uninstall the plugin, revoke any API key entered into it, create a new key, review usage and billing logs, and check endpoints for network connections to the reported C2 server.
IDE plugins run inside trusted developer tools and may have access to source code, local files, configuration data, cloud credentials, and AI API keys. Organizations should review and approve plugins the same way they review other software dependencies.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages