Malicious AI Coding Plugins Hit JetBrains Marketplace, Stealing API Keys From Developers

A coordinated malware campaign on the JetBrains Marketplace is turning trusted developer tools into a credential theft pipeline, according to new research from Aikido Security.

Researchers identified 15 malicious JetBrains plugins posing as AI coding assistants for DeepSeek and other large language models. The plugins advertise common developer features such as chat, code review, commit message generation, bug detection, and unit test creation. The catch: when users enter an API key for services such as OpenAI, DeepSeek, or SiliconFlow, the plugins quietly send that key to attacker-controlled infrastructure.

The campaign shows how fast cybercriminals are adapting to the AI software boom. Developers are increasingly plugging AI tools directly into their coding environments, giving those tools access to source code, project context, cloud credentials, and paid AI service keys. That makes IDE plugins a powerful new target for supply chain attacks.

Aikido researcher Ilyas Makari said the plugins appear useful on the surface.

“Every plugin poses as an AI coding assistant built on DeepSeek and other large language models, offering chat, commit messages, code review, bug finding, and unit tests,” Makari said. “They function exactly as advertised. However, the AI provider API key you enter gets exfiltrated to a server controlled by the attacker.”

The malicious plugins have reportedly been active since late October 2025, with new versions appearing as recently as June 10, 2026. Two of them, CodeGPT AI Assistant and DeepSeek AI Assist, have each logged more than 25,000 downloads, though researchers said it remains unclear whether those numbers reflect real adoption or manipulated popularity metrics.

The affected plugins include:

DeepSeek Junit Test, DeepSeek Git Commit, DeepSeek FindBugs, DeepSeek AI Chat, DeepSeek Dev AI, DeepSeek AI Coding, AI FindBugs, AI Git Commitor, AI Coder Review, DeepSeek Coder AI, AI Coder Assistant, DeepSeek Code Review, CodeGPT AI Assistant, DeepSeek AI Assist, and Coding Simple Tool.

Aikido said the plugins share a similar codebase and require users to enter AI provider credentials in their settings panels. Once entered, the key is sent in plaintext over HTTP to a remote server at 39.107.60[.]51.

The campaign also appears to include a strange monetization layer. Researchers said the plugins offer a paid tier through a donation wall. After payment, the attacker-controlled server sends an API key back to the user’s client, allowing the plugin to make model calls using that key instead of the user’s own.

That behavior raises the possibility that stolen API keys are being repackaged and sold as unauthorized access to paid AI services. In practice, victims may be funding someone else’s AI usage without realizing it.

“The operator collects money on one side and free credentials on the other, while the genuine key owners pay the bill,” Makari said.

The JetBrains campaign is part of a broader shift in cybercrime toward what researchers often call LLMjacking, where attackers steal AI service credentials to resell access, run automated workloads, or abuse paid model infrastructure.

It also lands alongside another AI-focused data theft operation involving Chrome extensions. Researcher Jean-Marie R. identified two ad blocker extensions, Smart Adblocker and Adblock for Browser, that allegedly capture users’ conversations with major AI platforms including ChatGPT, Claude, Gemini, Copilot, Perplexity, DeepSeek, Grok, and Meta AI.

The operation, dubbed PromptSnatcher, shows a different version of the same risk. Instead of stealing the keys that pay for AI services, the extensions allegedly steal the prompts, conversations, model usage details, and account-tier metadata flowing through them.

Yagub Rahimov, CEO of Polygraf AI, said the two discoveries reflect the same underlying weakness in how organizations are adopting AI tools.

“These two stories are the two sides of the same coin. They have different attack surface, but the same target, which is the AI tooling people now trust by default. The plugins steal the keys that pay for the models, whereas the extensions steal what's actually being said to them.

The plugin malware works because the plugin does everything it promises (chat, commit messages, code review, etc), which is why it's not being paid attention to. The theft is invisible because the product is real. The "innovation" here is the resale part - stolen keys get sold back through a donation wall while the original developer keeps paying the bill.

The extension side is more invisible - both extensions had been legitimate ad blockers before the AI interception was slipped in through an update. The tool you vetted 2 years ago isn't the tool running today. And what leaks isn't something you can rotate, like a password. It's the full content of what people paste into it."

For security teams, the lesson is blunt: AI plugins, browser extensions, and coding assistants should be treated like any other software dependency running with user privileges. That means vetting publishers, reviewing update behavior, limiting extension permissions, avoiding long-lived API keys, and monitoring AI service usage for abnormal spikes.

The deeper issue is that AI has become a new data layer inside the enterprise. Developers paste code into assistants. Employees paste contracts into chatbots. Teams connect IDEs to paid model APIs. Attackers are now following that flow of trust, looking for the places where security programs still see only a helpful tool.