15 malicious JetBrains plugins spent 8 months stealing developers' AI API keys

Security researchers at Aikido Security have uncovered a coordinated supply chain campaign on the JetBrains Marketplace in which at least 15 malicious plugins — disguised as AI coding assistants and developer utilities — were stealing API keys from developers' IDEs. The plugins were installed nearly 70,000 times across seven vendor accounts before the campaign was disclosed, according to a report published Tuesday and independently confirmed by BleepingComputer.

The attack is notable for its duration, its specificity, and for a monetization twist that strongly implies the stolen keys were being resold. It also highlights a growing pattern in developer-targeted attacks: the plugin marketplace as an entry point into high-value credentials.

How the Campaign Worked

Each of the 15 plugins appeared functional — they offered real features including AI-powered chat, code review, unit test generation, and Git commit message drafting, backed by popular services like OpenAI, DeepSeek, and SiliconFlow. When a user entered their API key in the plugin settings and clicked Apply, that credential was silently transmitted in plaintext over an unencrypted HTTP connection to a hardcoded server at 39.107.60[.]51.

The credential exfiltration endpoint was consistent across all 15 plugins: hxxp://39.107.60[.]51/api/software/key. Researchers noted that using plaintext HTTP rather than HTTPS was either careless or deliberate — in either case, it means the keys were also visible to any network observer between the developer's machine and the attacker's server.

The campaign began in October 2025. New plugin variants continued to appear as recently as June 10, 2026, indicating that the operators remained active through the disclosure period. As of the time BleepingComputer published its report, at least some of the plugins were still available for download on the JetBrains Marketplace.

The Paid Tier That Gave Away Stolen Keys

The most unusual element of the campaign is what Aikido researchers called a "donation wall" — a paid upgrade tier embedded in the plugins. After paying a small fee, users received a working AI API key from the server, which the plugin would then use for model calls instead of the user's own key.

Aikido notes that no legitimate AI service operator would hand users unrestricted keys to a paid third-party service. The implication is that the keys handed out to paying customers were themselves stolen from other plugin users — creating a closed loop in which victims' credentials funded a black-market API key service. This pattern has appeared in other credential-theft campaigns targeting AI infrastructure, but seeing it embedded directly in a trusted plugin marketplace is a new escalation.

Which Services Were Targeted

The 15 plugins collectively targeted API keys for OpenAI, DeepSeek, and SiliconFlow — three of the most widely used AI inference APIs among developers. OpenAI API keys in particular carry significant monetary risk: a compromised key can result in thousands of dollars in unauthorized model usage charges before the account owner notices and rotates credentials.

The specific plugins identified by Aikido include: DeepSeek Junit Test, DeepSeek Git Commit, DeepSeek FindBugs, DeepSeek AI Chat, DeepSeek Dev AI, DeepSeek AI Coding, AI FindBugs, AI Git Commitor, AI Coder Review, DeepSeek Coder AI, AI Coder Assistant, and several others published under the same vendor infrastructure.

What Developers Should Do Now

Any developer who installed an AI coding plugin from the JetBrains Marketplace in the past eight months should assume their API keys may be compromised and rotate them immediately — this applies particularly to OpenAI, DeepSeek, and SiliconFlow credentials. Key rotation is immediate in all three platforms' account dashboards and takes less than a minute.

Before installing any plugin, check the vendor account's publication history for patterns: a vendor publishing multiple "AI assistant" plugins under slightly different names with recent publication dates is a red flag. Aikido's full list of affected plugin IDs is available in their published report.

The broader lesson is familiar but worth stating again: plugin marketplaces are not curated application stores. Malicious packages on npm, PyPI, the VS Code Marketplace, and now JetBrains Marketplace have followed essentially the same playbook — find a trusted channel, publish something functional that hides malicious behavior, and scale until caught. The AI API key market appears to be lucrative enough to sustain an 8-month campaign across 15 plugins before disclosure.