Malicious JetBrains Plugins Steal AI API Keys: 70,000 Downloads

A coordinated campaign of at least 15 malicious plugins on the JetBrains Marketplace is stealing AI service API keys from developers' IDEs. Discovered by Aikido Security and disclosed on June 16, 2026, the operation amassed roughly 70,000 installations spread across seven different vendor accounts. The plugins remained available for download at the time of publication; JetBrains had not yet responded to BleepingComputer's request for comment.

How the Theft Works: The "Apply" Click That Exposes the Key

The plugins pose as legitimate AI assistance tools: AI coding assistants, code-review utilities, and Git integrations for OpenAI, DeepSeek, and SiliconFlow services. The surface is credible; the advertised functionality is delivered. The malicious mechanism triggers at a specific moment in the configuration flow.

When a developer enters their API key in the plugin settings and presses the "Apply" button, the credential is transmitted to the hardcoded server 39.107.60[.]51 over unencrypted HTTP. This occurs regardless of whether the key is valid, the service is active, or the user proceeds to use the tool. The theft is conditioned solely on the act of confirming the settings.

Independent analysis by BleepingComputer on the DeepSeek AI Assist plugin (ID: ord.cp.code.ai.kit), the most downloaded at 27,727 installs, confirmed that the latest available version still contains this exfiltration code. The confirmation does not rest solely on the researcher's claim; it was obtained by downloading and inspecting the package distributed through the official marketplace.

The Parasitic Freemium Model: Stolen Keys Recirculated

"After a user pays a small fee through the donation wall built into the plugin, the server sends an API key back down to the client, and the plugin starts using that key for its model calls instead of your own, which is bizarre, since no legitimate operator would simply hand a user a working and unrestricted key to a paid AI provider"
— Aikido Security

Beyond theft, the plugins implement a monetization model Aikido Security describes as a "paid tier." Users who do not provide their own key can pay a small fee through a built-in donation wall. The server then supplies a working API key, and the plugin begins using it in place of the user's own. The mechanism raises a provenance problem: a legitimate platform would not distribute third-party commercial API keys without authorization.

The source does not verify the specific origin of these keys supplied to paying users. Aikido's thesis is that they are credentials previously stolen from other developers, recirculated through the system. This hypothesis is not confirmed by independent technical analysis cited in the dossier. What is documented is the server's ability to serve working keys on demand, behavior incompatible with a legitimate business model based on authorized resale.

Scale and Timeline: October 2025 to June 2026

The campaign spans an extended timeline. The first plugin was published in October 2025, the last on June 10, 2026. The eight-month duration suggests operational persistence and, presumably, sufficient profit to justify maintaining the infrastructure. The fifteen plugins share similar code presented as distinct products, a camouflage technique that multiplies the attack surface and fragments the detection profile.

Install counts are qualified with caution. Aikido Security reports "close to 70,000" total installations, noting that download counts can be manipulated. The two most distributed plugins are DeepSeek AI Assist with 27,727 downloads and CodeGPT AI Assistant with 25,571. These figures indicate concentrated distribution: the top two plugins alone account for roughly 76% of the declared total. The source does not specify how many of these installations are active, nor how many users actually entered API keys in settings.

Why This Matters

The dossier documents no specific remedial action by JetBrains at the time of publication. The company had not responded to BleepingComputer's request for comment, and the plugins remained accessible via the official marketplace. This response delay is a material fact: the distribution intermediary has not halted the availability of malicious code verified by a third party.

The source does not specify the exact nature of exfiltrated data beyond API keys, nor does it document individual victims of financial abuse. No CVE identifier is associated with the analyzed artifacts. The identity of the operators behind the seven vendor accounts remains unknown, as does the jurisdiction of the exfiltration server.

The case positions the extension marketplace as an underestimated supply-chain vector. IDEs are high-credential-intensity work environments: developers store keys for cloud services, third-party APIs, and authentication tokens. A plugin that "works" — delivering the promised service — generates operational trust that masks malicious behavior. The model's very structure, where malicious code is conditional on a specific user action (clicking "Apply"), reduces the likelihood of detection via superficial static analysis.

The key-recirculation pattern, while not independently verified, introduces a parasitic economy: victims become unwitting suppliers of a paid resource for further victims. This mechanism, supported by the direct discovery source, extends the incident's temporal impact even after the individual removal of a compromised plugin.

Information is based on the cited source and current as of publication.

Sources

• https://www.bleepingcomputer.com/news/security/malicious-jetbrains-marketplace-plugins-steal-ai-api-keys-from-developers/
• https://checkmarx.com/blog/checkmarx-security-update/
• https://snyk.io/platform/ide-plugins/
• https://www.aikido.dev/blog/github-breached-vs-code-extension
• https://thehackernews.com/2026/05/compromised-nx-console-18950-targeted.html
• https://security.snyk.io/
• https://www.stepsecurity.io/blog/nx-console-vs-code-extension-compromised