Not less than 15 malicious plugins discovered on JetBrains Market had been designed to steal AI API keys from builders.
The marketing campaign, found by Aikido Safety, consists of plugins that act as AI coding assistants, code evaluation instruments, and Git utilities powered by widespread AI providers similar to OpenAI, DeepSeek, and SiliconFlow.
“We’ve got detected a coordinated malware marketing campaign on the JetBrains Market,” Aikido warns.
“Not less than 15 IDE plugins revealed throughout seven vendor accounts share the identical hidden habits. Every plugin steals AI supplier API keys saved in settings and has been put in almost 70,000 occasions.”
In keeping with Aikido, the malicious plugin was first revealed in October 2025, and new plugins proceed to be revealed as just lately as June 10, 2026.
Researchers say the plugin works as marketed, however the AI API key that customers enter into the plugin settings is secretly despatched to attackers.
In keeping with the report, the theft happens when the person clicks (Apply) after coming into the API key, and the credentials are despatched to a hardcoded server by way of HTTP on the following URL: 39.107.60(.)51.
hxxp://39.107.60(.)51/api/software program/key
The researchers discovered that every one 15 plugins shared comparable code submitted as totally different Market plugins.
Aikido additionally found the flexibility for distant servers to supply AI API keys to paid customers.
It is unclear the place these API keys got here from, however Aikido theorizes that the plugin operator could also be amassing credentials from free customers and offering them to paid customers.
“The plugin additionally has a paid tier. As soon as the person pays a small charge by a donation wall constructed into the plugin, the server sends the API key again to the consumer and the plugin begins utilizing that key for its mannequin calls as a substitute of its personal key. That is unusual. No authentic operator would hand over an unrestricted key to the person to work with a paid AI supplier,” says Aikido.
BleepingComputer downloaded and analyzed the newest model of the DeepSeek AI Help plugin (Plugin ID: ord.cp.code.ai.equipment) and independently confirmed that it nonetheless incorporates the credential theft code talked about in Aikido’s report.
On the time of this writing, the plugin remained obtainable for obtain from JetBrains Market.
The marketing campaign plugins found by Aikido are:
- DeepSeek Junit check (org.sm.YS.toolkit)
- DeepSeek Git commit (com.json.easy.equipment)
- DeepSeek FindBugs (org.bug.discover.instruments)
- DeepSeek AI Chat (org.translate.ai.easy)
- DeepSeek Dev AI (com.yy.check.ai.easy)
- DeepSeek AI Coding (com.dev.ai.toolkit)
- AI FindBugs (com.json.view.easy)
- AI Git Committer (com.my.git.ai.equipment)
- AI Coder Evaluation (org.verify.ai.ds)
- DeepSeek Coder AI (com.evaluation.software.code)
- AI Coder Assistant (org.code.help.dev.software)
- DeepSeek Code Evaluation (com.coder.ai.dpt)
- CodeGPT AI Assistant (com.my.code.instruments)
- DeepSeek AI Help (ord.cp.code.ai.equipment)
- Simple coding software (com.dp.git.ai.software)
The 2 most downloaded plugins are DeepSeek AI Help (27,727 downloads) and CodeGPT AI Assistant (25,571 downloads).
Nonetheless, researchers warning that obtain counts may be manipulated and mustn’t essentially be handled as particular person installations.
Malicious packages are usually present in repositories like npm and PyPI, however reviews of credential-stealing plugins distributed by JetBrains Market are a lot rarer.
BleepingComputer contacted JetBrains concerning the malicious plugin, however had not acquired a response on the time of publication.
Safety groups doc 54% of profitable assaults and situation a warning on solely 14%. The remainder strikes invisibly by the setting.
Picus’ whitepaper exhibits easy methods to check your SIEM and EDR guidelines in breach and assault simulations to make sure threats go undetected.
Get the white paper
