Malicious JetBrains and VS Code Extensions Steal OpenAI, Anthropic, and DeepSeek API Keys

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

Developers who rely on AI coding tools are now facing a serious new threat. A coordinated malware campaign has been uncovered on the JetBrains Marketplace, where at least 15 fake IDE plugins were quietly stealing AI provider API keys from thousands of developers.

The plugins posed as helpful AI coding assistants built on DeepSeek, OpenAI, and SiliconFlow, but hid a dangerous credential-theft routine beneath their surface.

The attack spanned roughly eight months, with the earliest malicious plugins appearing in late October 2025 and new ones still being published as recently as June 10, 2026.

Together, the 15 plugins accumulated close to 70,000 combined installs across seven vendor accounts before being detected. The scale and persistence of this campaign highlight just how deeply developers trust marketplace ecosystems and how easily that trust can be weaponized.

Researchers at Aikido Security were the first to identify and publicly disclose the campaign. The Cloud Security Alliance (CSAI) said in a report shared with Cyber Security News (CSN) that IDE plugin ecosystems have become a primary attack surface for AI credential theft, noting that supply chain integrity controls have not been extended to these environments.

All three documented campaigns confirm that the developer toolchain is now a well-recognized and actively exploited target.

Alongside the JetBrains campaign, researchers tracked two related threats active during the same window.

The GlassWorm worm targeted the Visual Studio Code Marketplace and the OpenVSX Registry, while a separate Nx Console supply chain compromise hit GitHub’s Internal Repository. Together, they reflect a wider pattern of attackers converging on developer tools as a high-value entry point.

The financial stakes make these attacks especially attractive. AI inference is costly, and enterprise customers pay significant monthly fees for model access.

A stolen API key lets an attacker consume that quota at zero cost while the legitimate owner keeps paying the bill, creating a growing black market for resold AI access.

Malicious JetBrains and VS Code Extensions

All 15 malicious plugins shared nearly identical code, repackaged and relisted under different names and vendor accounts.

When a developer entered their API key into the plugin settings and clicked Apply, the credential was stored locally as expected but simultaneously forwarded via a plain HTTP POST request to a hardcoded attacker-controlled server.

No notification and no consent screen ever appeared in the interface. monetization layer that sets this campaign apart from ordinary credential theft.

Some plugins offered a paid tier, and once a user paid a small fee, the attacker’s server would return a working API key to the client.

Researchers believe those returned keys were likely stolen from free-tier victims, turning the campaign into a credential resale service where attackers collected both money and free AI compute.

GlassWorm and the Broader VS Code Risk

GlassWorm, a technically advanced threat first identified by Koi Security in October 2025, spread through malicious VS Code extensions on the OpenVSX Registry.

It used invisible Unicode characters to hide malicious logic inside extension source files, making the code appear as empty lines to human reviewers and automated tools alike. This technique allowed the malware to slip past most standard review processes undetected.

Once active, GlassWorm harvested GitHub tokens, npm tokens, OpenVSX tokens, and cryptocurrency wallet data. It then force-pushed malicious commits to every repository the victim’s account could reach, spreading the infection to any developer who later cloned those repositories.

CrowdStrike, together with Google and the Shadowserver Foundation, neutralized all four GlassWorm command-and-control channels on May 26, 2026.

Developers should immediately audit all installed JetBrains plugins and VS Code extensions and treat any API key entered into an unvetted plugin as fully compromised.

Keys for OpenAI, Anthropic, DeepSeek, and SiliconFlow should be revoked and rotated through their respective provider dashboards without delay.

Network teams should block outbound traffic to the attacker’s server, and organizations should require behavioral review, not only static code scanning, before approving new IDE plugins.

Indicators of Compromise (IoCs):-

Type Indicator Description
IP Address 39.107.60[.]51 Hardcoded C2 server receiving stolen API keys via plain HTTP POST 
URL hxxp://39.107.60[.]51/api/software/key Exfiltration endpoint used by all 15 malicious JetBrains plugins 
Plugin ID org.sm.yms.toolkit DeepSeek Junit Test — 1,121 downloads, released 2025-10-31 
Plugin ID com.json.simple.kit DeepSeek Git Commit — 1,894 downloads, released 2025-11-01 
Plugin ID org.bug.find.tools DeepSeek FindBugs — 1,485 downloads, released 2025-11-09 
Plugin ID org.translate.ai.simple DeepSeek AI Chat — 1,317 downloads, released 2025-11-23 
Plugin ID com.yy.test.ai.simple DeepSeek Dev AI — 740 downloads, released 2025-11-30 
Plugin ID com.dev.ai.toolkit DeepSeek AI Coding — 450 downloads, released 2025-12-06 
Plugin ID com.json.view.simple AI FindBugs — 623 downloads, released 2025-12-14 
Plugin ID com.my.git.ai.kit AI Git Commitor — 301 downloads, released 2026-01-10 
Plugin ID org.check.ai.ds AI Coder Review — 735 downloads, released 2026-01-11 
Plugin ID com.review.tool.code DeepSeek Coder AI — 3,498 downloads, released 2026-01-15 
Plugin ID org.code.assist.dev.tool AI Coder Assistant — 319 downloads, released 2026-02-01 
Plugin ID com.coder.ai.dpt DeepSeek Code Review — 278 downloads, released 2026-04-18 
Plugin ID com.my.code.tools CodeGPT AI Assistant — 25,571 downloads, released 2026-06-09 
Plugin ID ord.cp.code.ai.kit DeepSeek AI Assist — 27,727 downloads, released 2026-06-10 
Plugin ID com.dp.git.ai.tool Coding Simple Tool — 3,931 downloads 
API Auth Token F48D2AA7CF341F782C1D Static token hardcoded in plugins, used to authenticate POST requests to C2 server 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.