Multiple JetBrains IDE Plugins 70,000+ Installs Caught Stealing AI keys

A large-scale malware campaign has been uncovered on the JetBrains Marketplace, where at least 15 malicious IDE plugins were found stealing sensitive API keys from developers.

These plugins, downloaded over 70,000 times, were published under seven different vendor accounts and disguised as legitimate AI-powered coding assistants.

According to Aikido’s research, the malicious plugins claimed to offer useful developer features such as AI chat, code generation, bug detection, commit message creation, and unit test writing.

They appeared functional and delivered the promised features, making them difficult to detect. However, behind the scenes, they were silently harvesting users’ API keys.

JetBrains Plugins Caught Stealing AI Keys

Aikido researchers found that all identified plugins share a nearly identical codebase that has been slightly modified and republished under different names. To use these tools, developers must enter API keys for services such as OpenAI, DeepSeek, or SiliconFlow.

Once the user enters the API key and clicks “Apply,” the plugin immediately captures and exfiltrates the key without any warning or consent.

The malicious logic is embedded in the plugin’s settings handler, enabling instant, invisible data theft. The stolen API keys are sent via an HTTP POST request to a hardcoded command-and-control (C2) server located at 39.107.60[.]51.

The communication occurs over plaintext HTTP, exposing sensitive credentials to interception and misuse.

The plugins also include a paid tier, which raises further concerns. After users make a payment, the plugin receives a new API key from the attacker-controlled server. It begins using it instead of the user’s original key.

Aikido suggests this may indicate a resale scheme, where stolen API keys from victims are redistributed to paying users. This allows attackers to monetize both stolen credentials and paid subscriptions while shifting operational costs to unsuspecting victims.

The campaign dates back to October 2025, with new malicious plugins continuing to appear as recently as June 2026.

Aikido noted that the actual impact may be higher than reported, as download counts can be manipulated and fake positive reviews were observed on plugin listings.

Integrated Development Environments (IDEs) are increasingly targeted in supply chain attacks because they hold highly sensitive data.

These include source code, credentials, signing keys, and now AI service API keys. Plugins typically run with high privileges and are trusted by developers, making them an ideal vector for stealthy attacks.

Even with JetBrains’ manual review process, small hidden malicious functions can evade detection.

Indicators of Compromise (IOCs)

C2 Server

• 39.107.60[.]51

Affected Plugins

• DeepSeek Junit Test (org.sm.yms.toolkit) – 1,121 downloads
• DeepSeek Git Commit (com.json.simple.kit) – 1,894 downloads
• DeepSeek FindBugs (org.bug.find.tools) – 1,485 downloads
• DeepSeek AI Chat (org.translate.ai.simple) – 1,317 downloads
• DeepSeek Dev AI (com.yy.test.ai.simple) – 740 downloads
• DeepSeek AI Coding (com.dev.ai.toolkit) – 450 downloads
• AI FindBugs (com.json.view.simple) – 623 downloads
• AI Git Commitor (com.my.git.ai.kit) – 301 downloads
• AI Coder Review (org.check.ai.ds) – 735 downloads
• DeepSeek Coder AI (com.review.tool.code) – 3,498 downloads
• AI Coder Assistant (org.code.assist.dev.tool) – 319 downloads
• DeepSeek Code Review (com.coder.ai.dpt) – 278 downloads
• CodeGPT AI Assistant (com.my.code.tools) – 25,571 downloads
• DeepSeek AI Assist (ord.cp.code.ai.kit) – 27,727 downloads
• Coding Simple Tool (com.dp.git.ai.tool) – 3,931 downloads

Vendor Accounts

• CodePilot (mycode)
• StackSmith (misshewei)
• CodeCrafter (keteme)
• CodeWeaver (simpledev)
• JetCode (skyblue)
• DailyCode (dialycode)
• ZenCoder (947cb4c8-5db1-4cf0-8182-0aae7c433bb3)

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Mitigations

Aikido recommends that developers immediately remove any affected plugins and revoke exposed API keys. It is critical to rotate credentials and monitor for unusual API usage or billing spikes.

Security experts recommend treating IDE plugins as high-risk dependencies. Avoid entering sensitive credentials into unverified tools and rely only on trusted publishers.

Organizations should also deploy endpoint monitoring solutions and software supply chain security tools to detect malicious packages early and prevent compromise.

This campaign highlights the growing risk of developer-focused attacks and the importance of vigilance when integrating third-party tools into development environments.

CISO & Security Leaders: Your next breach may not have a face. Join ISC2’s LIVE webinar, “Ghost in the Machine” – Book Your Spot Here