15 malicious JetBrains plugins silently exfiltrated AI provider API keys across nearly 70,000 installs over eight months. Here is what happened and what your team must do now.
Fake AI Plugins Hit JetBrains Marketplace, Stealing Developer API Keys in Bulk
A coordinated supply chain attack quietly drained AI credentials from developers' IDEs for eight months. Here is what happened, who is at risk, and what your team must do right now.
What Happened
Aikido Security researcher Ilyas Makari flagged a coordinated malware campaign on the JetBrains Marketplace, reporting publicly on June 16 and 17, 2026. He found at least 15 malicious IDE plugins published under seven vendor accounts, all sharing the same hidden behavior: exfiltrating the AI provider API keys that users stored in their settings. Together, those plugins had been installed close to 70,000 times.
The plugins posed as AI coding assistants, code-review tools, and Git utilities built on popular services including OpenAI, DeepSeek, and SiliconFlow. The two most downloaded were DeepSeek AI Assist (27,727 downloads) and CodeGPT AI Assistant (25,571 downloads). The earliest versions appeared at the end of October 2025, and new ones were still being released in June 2026, meaning the attack ran silently for roughly eight months before anyone raised the alarm.
How the Theft Actually Works
The mechanism is deceptively simple. Each plugin delivered its advertised features: chat, commit messages, code review, bug finding, and unit tests. Everything worked as expected. But when a user clicked "Apply" in the settings panel, a small handler quietly copied the entered API key and sent it over plain HTTP to a hardcoded attacker-controlled server at IP address 39.107.60.51.
There was also a secondary monetization layer. The plugins offered a paid tier: after paying a small fee, users received an API key for model calls, replacing their own credentials. Aikido Security noted this was unusual, since legitimate operators do not distribute unrestricted paid API keys. The likely explanation: the operators harvested credentials from free users and resold access to paying customers.
IDE plugins run inside tools developers trust all day, sitting next to source code, project configs, and now paid AI services. A malicious extension does not need a sophisticated exploit chain when the user willingly hands it a long-lived API key.
Why This Matters Beyond the API Key
Stolen API keys look like a minor billing headache. They are not. Valid authentication tokens give attackers a foothold to map out databases, source code repositories, and integrated production pipelines, all without triggering traditional signature-based defenses.
Sophos incident telemetry shows that 66.5 percent of ransomware victims identified their primary identity breach as the mechanism that enabled the subsequent ransomware execution. A stolen OpenAI or DeepSeek key is not just an AI services cost problem. It is a potential pivot point into your CI/CD pipeline, your cloud infrastructure, and your source code.
JetBrains plugins do go through a manual review process before reaching the marketplace. Even so, compact malicious logic buried inside an otherwise functional plugin can slip through. Manual review can miss intent. Automated checks can miss context. A plugin can be small, working, and still exfiltrate the one thing attackers care about.
JetBrains' Response
On June 16, 2026, JetBrains received security reports detailing the campaign. The company moved quickly once notified. All 15 flagged plugins have been purged from the marketplace and blocked from future downloads. The seven associated publisher accounts have been permanently terminated, and all affected plugins have been explicitly marked as broken in their backend architecture.
One critical gap remains: BleepingComputer independently confirmed the credential-theft code was still present in the DeepSeek AI Assist plugin at the time of original reporting. If your developers had any of these plugins installed before June 17, 2026, treat every stored API key as compromised.
What Your Team Must Do Right Now
1. Audit every developer machine for the affected plugins. Navigate to Settings, then Plugins, then Installed in your IDE and manually remove any unverified AI assistants, automated code reviewers, or Git add-ons. The full list of 15 flagged plugin IDs is available in Aikido Security's public report and on the JetBrains blog.
2. Rotate every API key that touched a JetBrains IDE. If a key was entered into any affected plugin, assume it is compromised even if you cannot find network logs. Rotate keys for OpenAI, DeepSeek, SiliconFlow, and any other AI provider your developers use. Check for unexpected spend or quota depletion in your provider dashboards immediately.
3. Search your network logs for the malicious server. Look for outbound connections to IP 39.107.60.51 and the paths /api/software/key and /api/software/check. Also review AI provider usage for unusual calls, unfamiliar access patterns, or unexpected quota depletion.
4. Understand what the "Verified" badge actually means. The Verified Vendor Badge on JetBrains Marketplace confirms a publisher's profile is tied to a real legal entity. It is not a technical guarantee of a plugin's code safety. Treat any third-party plugin that handles credentials as untrusted until you have reviewed it.
5. Enforce outbound network controls on developer workstations. Centralised governance over browser extensions, IDE add-ons, and local build dependencies helps catch suspicious outbound calls before credentials leave the machine. Intercepting execution at the package manager level prevents compromised software from installing in the first place.
6. Stop storing long-lived API keys in IDE plugin settings. Use short-lived tokens wherever your AI provider supports them, and manage secrets through a dedicated vault rather than IDE configuration menus. Treat every plugin that runs with your privileges as a dependency that needs proper vetting.
The Bigger Picture
This attack is part of a clear trend: adversaries targeting the developer toolchain itself rather than end-user applications. When your IDE is compromised, everything that flows through it, code, keys, and cloud credentials, is at risk.
CI/CD systems and IDEs are not peripheral. They are the software factory. If attackers control those systems, they can influence what gets built, tested, reviewed, and shipped. Security teams that treat developer workstations as lower-risk than production servers need to reassess that assumption today.
How 247techify Can Help
At 247techify, we help businesses audit developer environments, enforce secrets management policies, and build security controls around CI/CD pipelines and third-party tooling. If you are unsure whether your team's API keys have been exposed, or you want the right guardrails in place, get in touch at https://www.247techify.com/ and we will help you assess and act fast.
