Malicious JetBrains Plugins Stole OpenAI, DeepSeek, and SiliconFlow API Keys
9 min. read 
Published on
Developers using AI coding tools were targeted by a coordinated JetBrains Marketplace campaign that stole AI provider API keys through fake IDE plugins. The malicious plugins posed as coding assistants, commit helpers, code review tools, bug finders, and unit test generators.
Aikido Security said it found at least 15 JetBrains IDE plugins published under seven vendor accounts. Together, the plugins were installed close to 70,000 times, although researchers warned that download counts can be inflated and should not be treated as a confirmed victim count.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The stolen credentials included API keys for providers such as OpenAI, DeepSeek, and SiliconFlow. The risk is serious because AI API keys can give attackers access to paid model usage, developer workflows, internal prompts, and potentially sensitive application data.
JetBrains Removed the Malicious Plugins
JetBrains confirmed that it received reports about the malicious third-party AI plugins on June 16, 2026. The company removed all 15 flagged plugins from the Marketplace, blocked the seven related publisher accounts, and used its backend systems to disable the affected plugins inside installed IDEs after relaunch.
JetBrains also said it found no evidence that its internal source code, development environments, or core corporate infrastructure were accessed during the incident. The campaign abused third-party marketplace plugins, not JetBrains’ own products or internal systems.
The incident highlights a growing developer supply chain risk. IDE extensions run inside tools that developers trust every day, and they can sit close to source code, cloud credentials, Git accounts, package registries, and AI provider secrets.
How the API Key Theft Worked
| Stage | What happened | Why it mattered |
|---|---|---|
| Plugin installation | Developers installed fake AI coding tools from the JetBrains Marketplace. | The plugins appeared useful and performed some advertised functions. |
| Key entry | Users pasted AI provider API keys into the plugin settings. | This felt normal because the plugin needed a key to call an AI model. |
| Apply action | When users clicked Apply, the plugin saved the key locally and also sent it away. | The exfiltration happened without a warning or consent prompt. |
| C2 transfer | The key was sent as plaintext JSON over HTTP to 39.107.60[.]51. | The traffic went to a hardcoded attacker-controlled server. |
| Possible resale | Some plugins offered a paid tier that returned a working API key from the server. | Researchers believe stolen keys may have been reused or resold to other users. |
Aikido’s analysis found that the plugins shared similar code that had been renamed and repackaged across different Marketplace listings. The theft triggered when a user saved the plugin configuration, not when the developer ran a separate command.
The network request used a hardcoded IP address and a static authentication token. The key was sent over plain HTTP, which made the exfiltration especially direct and easy for defenders to search for in proxy, firewall, DNS, or EDR logs.
JetBrains said the plugins also weakened TLS validation by installing a JVM-wide X509TrustManager, which could reduce the chance that local debugging or network controls would flag unusual certificate behavior.
Affected JetBrains Plugins
| Plugin name | Plugin ID | Reported downloads |
|---|---|---|
| DeepSeek Junit Test | org.sm.yms.toolkit | 1,121 |
| DeepSeek Git Commit | com.json.simple.kit | 1,894 |
| DeepSeek FindBugs | org.bug.find.tools | 1,485 |
| DeepSeek AI Chat | org.translate.ai.simple | 1,317 |
| DeepSeek Dev AI | com.yy.test.ai.simple | 740 |
| DeepSeek AI Coding | com.dev.ai.toolkit | 450 |
| AI FindBugs | com.json.view.simple | 623 |
| AI Git Commitor | com.my.git.ai.kit | 301 |
| AI Coder Review | org.check.ai.ds | 735 |
| DeepSeek Coder AI | com.review.tool.code | 3,498 |
| AI Coder Assistant | org.code.assist.dev.tool | 319 |
| DeepSeek Code Review | com.coder.ai.dpt | 278 |
| CodeGPT AI Assistant | com.my.code.tools | 25,571 |
| DeepSeek AI Assist | ord.cp.code.ai.kit | 27,727 |
| Coding Simple Tool | com.dp.git.ai.tool | 3,931 |
The two largest listings were DeepSeek AI Assist and CodeGPT AI Assistant. Those two plugins alone accounted for more than 53,000 reported downloads.
The earliest plugin versions appeared at the end of October 2025, while new plugins were still appearing in June 2026. That long window gave the campaign time to build credibility through working features, multiple vendor accounts, and fake five-star reviews.
All affected plugins should be treated as malicious. Developers who entered an API key into any of them should assume that key was exposed, even if JetBrains has already disabled the plugin locally.
JetBrains Is Updating Marketplace Security Checks
JetBrains’ security update said its Plugin Verifier was historically designed for compatibility and API-use checks, not as a dedicated anti-malware or data-flow scanner. The company is now adding checks to flag raw IP endpoints, unencrypted non-HTTPS connections, TLS weakening behavior, and plugin code that handles sensitive cloud API keys.
The company also warned users that a Verified Vendor badge proves the publisher profile is tied to a real person or legal entity, but it does not guarantee that a plugin’s code is safe.
That warning matters because malicious plugins can still look professional. They can offer useful AI functions, receive positive-looking reviews, and appear under multiple branded vendor accounts while quietly stealing secrets in the background.
Related Attacks Show Developers Are the Target
The JetBrains campaign fits a broader pattern of attacks against developer environments. CrowdStrike, Google, and the Shadowserver Foundation disrupted the Glassworm botnet on May 26, 2026, after it targeted software developers through the open-source supply chain.
Glassworm used Trojanized VS Code extensions on OpenVSX, compromised npm and Python packages, and poisoned GitHub repositories. The campaign targeted Windows, macOS, and Linux systems, with capabilities for credential theft and remote access.
A separate Aikido report also warned about malicious VS Code extensions as an attack path into developer workstations and private repositories. These incidents show why attackers increasingly target the people and tools that build software, not only the finished products.
Indicators of Compromise
| Type | Indicator | Description |
|---|---|---|
| IP address | 39.107.60[.]51 | Hardcoded server that received stolen AI API keys |
| URL | hxxp://39.107.60[.]51/api/software/key | Exfiltration endpoint used by the JetBrains plugins |
| API token | F48D2AA7CF341F782C1D | Static token hardcoded in the malicious plugins |
| Vendor account | mycode | CodePilot vendor account |
| Vendor account | misshewei | StackSmith vendor account |
| Vendor account | keteme | CodeCrafter vendor account |
| Vendor account | simpledev | CodeWeaver vendor account |
| Vendor account | skyblue | JetCode vendor account |
| Vendor account | dialycode | DailyCode vendor account |
| Vendor account | 947cb4c8-5db1-4cf0-8182-0aae7c433bb3 | ZenCoder vendor account |
What Developers Should Do Now
Developers who installed or used any affected plugin before June 17, 2026 should remove the plugin, restart the IDE, and rotate every API key entered into it. This includes OpenAI, DeepSeek, SiliconFlow, and any other provider key saved in those plugin settings.
Teams should also review AI provider dashboards for unusual usage, sudden spikes in spending, unknown model requests, or activity linked to the known C2 infrastructure. API keys should be replaced with scoped credentials where possible, and spending limits should be applied to reduce damage from future leaks.
- Remove any affected JetBrains plugin from the IDE plugin manager.
- Restart the IDE so JetBrains’ remote disable action takes effect.
- Revoke and reissue any API key entered into the affected plugins.
- Review AI provider usage logs for abnormal requests or spending spikes.
- Block outbound traffic to 39.107.60[.]51 at firewalls and DNS controls.
- Search network logs for requests to /api/software/key.
- Audit repositories for accidentally committed AI provider keys.
- Use scoped keys, short-lived tokens, and spend limits for future IDE integrations.
How Teams Can Reduce IDE Plugin Risk
Organizations should treat IDE plugins like software dependencies with workstation-level privileges. A plugin can access project files, local settings, environment details, and sometimes secrets that developers paste into configuration screens.
The safest approach is to create an approved plugin allowlist, review plugin source code when available, restrict plugins that require long-lived secrets, and monitor outbound traffic from developer machines. Security teams should also watch for plugins that contact raw IP addresses or send sensitive data over unencrypted HTTP.
The Glassworm case shows why this matters beyond one marketplace. CrowdStrike’s takedown report said developer workstations can provide access to source code repositories, cloud platforms, CI/CD pipelines, and package registries.
AI API Keys Are Now High-Value Secrets
AI API keys have become valuable because they can unlock paid compute, enterprise model access, and automated development workflows. Attackers can burn stolen quota, resell access, or use the keys to run their own tasks while the legitimate account owner pays the bill.
Aikido’s findings suggest the attackers may have tried to build a resale model by collecting keys from one group of users and returning working keys to paid users through the same plugin ecosystem.
That model makes AI credential theft different from many older API key leaks. A stolen key can create direct financial loss within hours, especially if the provider account has high limits or lacks usage alerts.
The Bigger Developer Supply Chain Lesson
This campaign shows that trusted marketplaces are not enough on their own. Attackers can package useful features with hidden data theft, publish under multiple names, and exploit the normal behavior of developers who install tools to improve productivity.
The related VS Code extension incident reinforces the same point: developer devices have become a primary route into private code, internal systems, and software supply chains.
Developers and security teams should treat AI coding extensions with extra caution. Any tool that asks for an AI provider key should explain how the key is stored, where it is sent, and why it needs direct access.
FAQ
At least 15 malicious JetBrains Marketplace plugins posed as AI coding assistants and related developer tools. When users entered AI provider API keys into the plugin settings and clicked Apply, the plugins sent those keys to an attacker-controlled server.
The campaign targeted API keys for providers such as OpenAI, DeepSeek, and SiliconFlow. Any key entered into one of the affected plugins should be treated as exposed.
Yes. JetBrains said it removed all 15 flagged plugins from the Marketplace, blocked the seven related publisher accounts, and remotely disabled the affected plugins inside installed IDEs through its backend systems.
Affected developers should remove the plugins, restart the IDE, revoke and rotate any API keys entered into the plugins, review AI provider usage logs, block the known C2 IP address, and check repositories for exposed credentials.
IDE plugins run inside trusted developer tools and may access project files, settings, local environments, and credentials. A malicious plugin can steal secrets or interact with code and systems used in software delivery workflows.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages