preloader

· security devops jetbrains developer-tools supply-chain ai ide

Fifteen Malicious JetBrains Plugins Stole AI API Keys from 70,000 Developer Installs

Source: BleepingComputer / Aikido Security

Researchers at Aikido Security have published details of a coordinated malware campaign that ran for more than seven months on the JetBrains Marketplace, the official plugin repository for IntelliJ IDEA, PyCharm, WebStorm, and the broader JetBrains IDE family. At least 15 plugins, published across seven separate vendor accounts, contained identical hidden behaviour: whenever a developer entered an AI provider API key and clicked “Apply”, the credential was silently sent over HTTP to a hardcoded attacker-controlled server at 39.107.60[.]51.

The campaign was active from October 2025, with the most recent malicious plugin released on 10 June 2026. Two of the plugins, CodeGPT AI Assistant and DeepSeek AI Assist, each showed more than 25,000 downloads.

What the plugins did

Each plugin presented as a legitimate AI coding assistant offering features such as chat, automated commit messages, code review, bug detection, and unit test generation. The value proposition was plausible and the plugins were polished enough to attract genuine users. The malicious behaviour was confined to the settings flow: when a developer entered their AI provider API key to connect the plugin to a service such as OpenAI or DeepSeek, the key was transmitted to the attacker’s server before being stored locally.

The theft occurred on the “Apply” event, meaning the key was exfiltrated the moment a developer confirmed their settings, not during subsequent use. The transmission used plain HTTP rather than HTTPS, making it visible on any network with traffic inspection in place, but invisible on an HTTPS-only monitoring policy.

Because the stolen credential is an API key rather than a password, there is no authentication step that would alert the developer to unauthorised use. An attacker holding a stolen OpenAI key can query the API, incur charges against the victim’s billing account, and potentially access any data the key has permissions for, including fine-tuned models and uploaded documents in the account.

Scale and scope

The seven vendor accounts that published the malicious plugins each had convincing profiles with multiple listed tools, suggesting deliberate investment in appearing legitimate. The install counts, while potentially inflated by automated requests, indicate that the plugins ranked well enough in JetBrains Marketplace search results to reach working developers in meaningful numbers.

Aikido identified the shared exfiltration endpoint and the common code pattern across all 15 plugins. JetBrains was notified and has since removed the plugins. However, any developer who installed one of the flagged plugins and entered an AI provider key has had that key captured.

Why developer tooling is a high-value target

AI provider API keys are increasingly valuable credentials. An OpenAI key with active billing gives an attacker access to powerful language model inference at the victim’s expense. A key associated with an organisation’s account may also provide access to custom models, uploaded datasets, assistant configurations, and API usage logs that reveal how the organisation is using AI internally.

Developer IDEs are an attractive target for this class of attack because they are trusted applications that developers interact with continuously during work, are frequently extended via plugins from third parties, and are granted broad filesystem access as a standard part of their function. A malicious plugin installed in IntelliJ runs with full access to the developer’s home directory, environment variables, and any credentials stored in plaintext configuration files on the system.

This campaign is architecturally distinct from a compromised package in npm or PyPI because it targeted the IDE directly rather than a dependency in project code. Detection tooling focused on build artefacts and runtime dependencies would not have flagged it.

Immediate steps for affected teams

If any developer in your organisation uses JetBrains IDEs with AI assistant plugins, audit which plugins are installed and cross-reference against the list of removed plugins from the JetBrains Marketplace security advisory. Remove any flagged plugins immediately.

Rotate all AI provider API keys that were entered into JetBrains IDE plugin settings during the period from October 2025 to mid-June 2026. This applies to keys for OpenAI, Anthropic, DeepSeek, and any other AI service configured through an IDE plugin. Rotation is a low-cost precaution relative to the potential exposure from a stolen API key.

Review AI provider billing dashboards and API usage logs for unexpected activity, particularly any queries from unfamiliar IP addresses or usage patterns that do not correspond to your team’s working hours and typical request volume.

At the policy level, restrict which plugins developers can install in company-managed JetBrains installations, or require security review before new plugins are added. JetBrains supports managed IDE configurations that can whitelist approved plugins in enterprise environments.

A structural problem with marketplace trust

The JetBrains Marketplace applies automated security checks to submitted plugins, but this campaign evaded those checks for over seven months. The exfiltration code was simple and only activated on a specific user action, which may have helped it avoid automated sandboxing that looks for malicious behaviour on installation or launch.

This is a pattern seen across all major IDE and browser extension marketplaces. Automated checks catch known malicious signatures and obvious runtime behaviour but struggle with targeted theft that fires on a specific user input event. For developer toolchains, where the trust model already extends to executing arbitrary code, the security review baseline needs to be substantially higher than it currently is.

If your organisation wants to audit its developer toolchain for supply chain risk, implement plugin governance policies for JetBrains or other IDEs, or review the security posture of AI tools in use across your engineering team, contact Excello Digital. We help European engineering organisations assess and secure the full developer environment, including the tooling that sits between your code and your cloud.

These news items are automatically aggregated from industry sources and are not individually reviewed. Any inaccuracies are unintentional — let us know and we'll correct or remove it.

Back to news

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!