Malicious Plugins on JetBrains Marketplace Stealing AI API Keys

Recently, security researchers at Aikido Security uncovered a disturbing malware campaign targeting developers on the JetBrains Marketplace. At least 15 plugins on the platform were found to be designed to steal AI API keys from unsuspecting users.

The plugins, disguised as AI coding assistants, code-review tools, and Git utilities, leverage popular AI services like OpenAI, DeepSeek, and SiliconFlow to lure in developers. Despite functioning as advertised, these plugins have a hidden agenda of exfiltrating AI provider API keys stored in their settings.

Aikido Security issued a warning about the coordinated malware campaign, which involved plugins published under seven different vendor accounts. Shockingly, these malicious plugins had been installed close to 70,000 times, posing a significant threat to the security of the affected users.

The campaign, initiated in October 2025, continued to evolve with new malicious plugins being published as recently as June 10, 2026. The plugins operate by surreptitiously transmitting entered API keys back to the attackers’ server, posing a serious risk to users’ data and privacy.

One alarming discovery made by Aikido was that the plugins not only stole API keys but also had a mechanism to provide these stolen keys to paid users. This raised concerns about the potential misuse of harvested credentials and highlighted the nefarious intentions of the plugin operators.

BleepingComputer independently verified the presence of credential theft code in the DeepSeek AI Assist plugin, confirming the validity of Aikido’s findings. Despite this alarming revelation, the plugin remained available for download on the JetBrains Marketplace, underscoring the need for heightened vigilance among users.

Malicious Plugins Identified by Aikido Security:

• DeepSeek Junit Test (org.sm.yms.toolkit)
• DeepSeek Git Commit (com.json.simple.kit)
• DeepSeek FindBugs (org.bug.find.tools)
• DeepSeek AI Chat (org.translate.ai.simple)
• DeepSeek Dev AI (com.yy.test.ai.simple)
• DeepSeek AI Coding (com.dev.ai.toolkit)
• AI FindBugs (com.json.view.simple)
• AI Git Commitor (com.my.git.ai.kit)
• AI Coder Review (org.check.ai.ds)
• DeepSeek Coder AI (com.review.tool.code)
• AI Coder Assistant (org.code.assist.dev.tool)
• DeepSeek Code Review (com.coder.ai.dpt)
• CodeGPT AI Assistant (com.my.code.tools)
• DeepSeek AI Assist (ord.cp.code.ai.kit)
• Coding Simple Tool (com.dp.git.ai.tool)

Among these plugins, DeepSeek AI Assist and CodeGPT AI Assistant were the most downloaded, with 27,727 and 25,571 downloads respectively. However, it’s crucial to note that download counts can be manipulated and may not accurately represent unique installations.

While instances of malicious packages on platforms like npm and PyPI are not uncommon, the discovery of credential-stealing plugins on the JetBrains Marketplace is a rare occurrence. This underscores the importance of staying vigilant and taking proactive measures to protect against such threats.

Despite reaching out to JetBrains for comment on the malicious plugins, BleepingComputer has yet to receive a response. This highlights the need for heightened awareness and caution when downloading plugins or extensions from online marketplaces.

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper