Security researchers have uncovered a coordinated campaign on the JetBrains Marketplace that published 15 malicious plugins designed to steal AI provider API keys from developers.
Each plugin masquerades as an AI coding assistant — think DeepSeek, OpenAI, and similar models — offering features like code review, commit messages, and bug detection. They actually work as advertised. The catch: any API key you enter gets quietly sent to a server controlled by the attacker.
Aikido Security researcher Ilyas Makari said the campaign has been running since late October 2025, with new plugins appearing as recently as June 10, 2026. Two plugins — CodeGPT AI Assistant and DeepSeek AI Assist — each have over 25,000 downloads, though those numbers may be inflated.
Here’s the twist: the plugins also run a paid tier. Users pay a small fee through a built-in donation wall, and the server sends back a working API key. That key isn’t the user’s — it’s one stolen from another victim. The operators are essentially reselling stolen credentials as a service.
All 15 plugins share similar code and exfiltrate keys in plaintext over HTTP to the IP 39.107.60[.]51. The campaign highlights a growing trend: threat actors targeting developer environments through trusted tool ecosystems.
In a related finding, two Chrome ad blocker extensions with over 100,000 combined users were caught capturing AI chatbot conversations from ChatGPT, Claude, Gemini, and others. The data collection, codenamed PromptSnatcher, had been running for years via software updates.
Treat plugins like any other dependency running with your privileges. Don’t paste long-lived secrets into tools you haven’t vetted.
