Malicious JetBrains plugins stole AI API keys from nearly 70,000 developers
A coordinated supply-chain campaign on the JetBrains Marketplace used at least 15 malicious IDE plugins, published under seven vendor accounts, to steal developers’ API keys for AI services including OpenAI, DeepSeek, and SiliconFlow. Aikido Security said the plugins were disguised as AI coding assistants, code-review tools, and Git utilities, appeared functional, and were boosted with fake five-star reviews. The malicious extensions were first published in October 2025 and continued appearing through June 10, 2026, with combined installs reported at nearly 70,000.
Researchers found the plugins intercepted credentials entered by users and exfiltrated them in plaintext over unencrypted HTTP to a hardcoded server at 39.107.60[.]51, typically when developers saved settings in their IDE. Independent analysis of the DeepSeek AI Assist plugin confirmed the credential-theft behavior was still present, and the plugin remained available on the marketplace at the time of reporting. Investigators also identified a paid-tier mechanism in which the server returned working API keys to paying users, raising concerns that credentials stolen from free users were being redistributed as part of the scheme.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
BleepingComputer verifies theft behavior in DeepSeek AI Assist plugin
BleepingComputer independently analyzed the latest DeepSeek AI Assist plugin and confirmed it still contained credential-stealing functionality. The outlet also reported that the plugin remained available on the JetBrains Marketplace at the time of publication.
Aikido Security uncovers JetBrains plugin credential theft campaign
Aikido Security discovered a coordinated supply-chain attack involving 15 JetBrains plugins that exfiltrated API keys for services including OpenAI, DeepSeek, and SiliconFlow to attacker-controlled infrastructure over HTTP. Researchers also identified a paid-tier mechanism that appeared to redistribute working keys to paying users.
Malicious plugin submissions continue through June 10, 2026
Aikido Security reported that new malicious plugins in the campaign continued appearing on the JetBrains Marketplace through June 10, 2026. Across 15 plugins from seven seller accounts, the campaign accumulated nearly 70,000 installs.
Malicious JetBrains plugins first appear on Marketplace
A coordinated campaign began publishing malicious JetBrains Marketplace plugins under multiple vendor accounts, disguising them as AI assistants, code-review tools, and Git utilities. The plugins were designed to steal developer-entered API keys.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Malicious JetBrains plugins steal AI API keys from developers | brief | SC Media
scworld.com
Open source15 Malicious JetBrains Plugins Caught Stealing DeepSeek, OpenAI API Keys
hackread.com
Open sourceВредоносные плагины в JetBrains Marketplace воруют ключи API у разработчиков - Хакер
xakep.ru
Open sourceMalicious JetBrains Plugins Target IDE Supply Chain Security
linuxsecurity.com
Open sourceMalicious JetBrains Marketplace plugins steal AI API keys from developers
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malicious Extension Supply Chain Risk in AI-Powered VS Code Forks
A critical security flaw has been identified in several popular AI-powered integrated development environments (IDEs) forked from Visual Studio Code, including Cursor, Windsurf, and Google Antigravity. These IDEs, which collectively serve millions of developers, were found to recommend extensions that do not exist in their supported OpenVSX marketplace. Because these extensions' namespaces were unclaimed, attackers could register them and upload malicious packages, which would then be presented as official recommendations to users. Security researchers demonstrated the risk by claiming these namespaces and uploading harmless placeholder extensions, which were still installed by over 1,000 developers, highlighting the high level of trust placed in automated extension suggestions. The vulnerability arises from inherited configuration files that point to Microsoft's extension marketplace, which these forks cannot legally use, leading to reliance on OpenVSX. Both file-based and software-based recommendations can trigger the installation prompt for these non-existent extensions, such as when opening an `azure-pipelines.yaml` file or detecting PostgreSQL on a system. The incident underscores a significant supply chain risk, as malicious actors could exploit this gap to distribute harmful code, potentially resulting in the theft of credentials, secrets, or source code. Vendor responses varied, with some IDEs addressing the issue promptly after disclosure, while others were slower to react.
Mar 21, 2026
Trojanized npm Packages Deliver OtterCookie to Steal AI Coding Tool Secrets
A malicious npm campaign used the account **`gemini-check`** to publish trojanized packages including **`gemini-ai-checker`**, **`express-flowlimit`**, and **`chai-extensions-extras`**, disguising them as legitimate developer utilities while delivering a staged JavaScript payload from Vercel-hosted infrastructure. Researchers linked the malware to **OtterCookie**, a modular Node.js backdoor associated with the DPRK-linked **Contagious Interview** activity cluster, citing overlaps in payload design, remote access capability, and data-theft behavior. The packages were downloaded more than 500 times in total, and while **`gemini-ai-checker`** was removed, the other packages were still available at the time of reporting. The malware executed code in memory to reduce detection and then stole browser credentials, cryptocurrency wallets, files, clipboard contents, and developer secrets. It also explicitly targeted directories tied to AI coding tools including **Cursor**, **Claude**, **Gemini CLI**, **Windsurf**, **PearAI**, and **Eigent**, enabling theft of API tokens, conversation logs, source code, SSH keys, and cloud credentials. The campaign shows a software supply-chain intrusion aimed directly at developers, with a particular focus on compromising AI-assisted development environments and the sensitive access they contain.
Apr 13, 2026
Critical Vulnerabilities in AI-Powered Coding Tools Enable Data Exfiltration and Remote Code Execution
Security researchers have disclosed over 30 vulnerabilities in a range of AI-powered Integrated Development Environments (IDEs) and coding assistants, collectively named 'IDEsaster.' These flaws, affecting popular tools such as Cursor, Windsurf, Kiro.dev, GitHub Copilot, Zed.dev, Roo Code, Junie, and Cline, allow attackers to chain prompt injection techniques with legitimate IDE features to achieve data exfiltration and remote code execution (RCE). The vulnerabilities exploit the fact that AI agents integrated into these environments can autonomously perform actions, bypassing traditional security boundaries and enabling attackers to hijack context, trigger unauthorized tool calls, and execute arbitrary commands. At least 24 of these vulnerabilities have been assigned CVE identifiers, highlighting the widespread and systemic nature of the risk. The research emphasizes that the integration of AI agents into development workflows introduces new attack surfaces, as these agents often operate with elevated privileges and insufficient threat modeling. Notably, the issues differ from previous prompt injection attacks by leveraging the AI agent's ability to activate legitimate IDE features for malicious purposes. Additional reporting confirms that critical CVEs have been issued for these tools, and broader industry analysis warns that nearly half of all AI-generated code contains exploitable flaws, with a particularly high vulnerability rate in Java. The findings underscore the urgent need for organizations using AI-driven development tools to reassess their security postures and apply available patches to mitigate the risk of data theft and RCE attacks.
Mar 21, 2026