JetBrains Marketplace plugins steal AI API keys

A coordinated malware campaign targeting JetBrains Marketplace has compromised developer workflows by stealing AI API keys through seemingly legitimate plugins. The attack, uncovered by Aikido Security, involves 15 plugins published under seven vendor accounts, all sharing identical malicious functionality despite appearing as distinct tools for AI-assisted coding, code review, and Git operations. These plugins, which interact with services like OpenAI, DeepSeek, and SiliconFlow, have accumulated close to 70,000 downloads since their introduction in October 2025, with new variants continuing to emerge as recently as June 2026.

How the attack works

The malicious plugins operate as advertised, providing AI-powered coding assistance or Git utilities while covertly harvesting API keys entered by users. When a developer inputs an API key into the plugin settings and clicks "Apply," the credential is transmitted over HTTP to a hardcoded server at 39.107.60[.]51. The exfiltration occurs without encryption, exposing sensitive keys to interception. All 15 plugins share nearly identical code, suggesting a single threat actor or group behind the campaign.

Beyond credential theft, the plugins offer a paid tier that introduces further risks. After users pay a small fee, the server provides an API key for the plugin to use instead of the user’s own. Aikido Security notes this behavior is unusual, as legitimate operators would not distribute unrestricted keys to paid AI services. The origin of these redistributed keys remains unclear, though researchers speculate they may be harvested from free users and repurposed for paid subscribers.

Impact on developers and organizations

The campaign highlights a growing risk in developer tooling ecosystems, where malicious actors exploit trust in marketplace platforms to distribute credential-stealing malware. Unlike npm or PyPI, where such attacks are more common, the JetBrains Marketplace has seen fewer reported incidents, making this campaign particularly notable. The plugins’ ability to function normally while executing hidden malicious code increases the likelihood of prolonged undetected use, especially in environments lacking robust monitoring of IDE plugin behavior.

For organizations, the theft of AI API keys can lead to financial losses, as attackers may use the keys to incur charges on the victim’s account or access proprietary models. The redistribution of stolen keys to paid users further complicates attribution and remediation, as the keys may be used across multiple unrelated projects. Developers who installed any of the affected plugins should immediately revoke exposed API keys and audit their systems for signs of misuse.

Response and next steps

JetBrains has not publicly responded to the disclosure, and the malicious plugins remain available on the Marketplace as of this writing. The lack of immediate action underscores the challenges platforms face in detecting and mitigating supply chain attacks, particularly when malicious code is embedded in otherwise functional tools. Developers are advised to exercise caution when installing plugins, even from trusted marketplaces, and to verify the legitimacy of vendors before entering sensitive credentials.

Aikido Security’s findings serve as a reminder that credential theft campaigns are evolving beyond traditional package repositories. As AI-assisted development tools become more integrated into workflows, the attack surface for such campaigns will likely expand, necessitating stronger vetting processes and real-time monitoring of plugin behavior.