JetBrains Plugin Attack Exposes 70,000+ Installs
Aikido Security identified at least 15 malicious plugins on the JetBrains Marketplace that silently steal AI provider API keys from developers. The campaign spans seven vendor accounts and close to 70,000 total installs, targeting users of DeepSeek, OpenAI, and SiliconFlow integrations. Plugins function as advertised but forward the API key to a hardcoded server at 39.107.60[.]51 the moment a user clicks Apply in settings. BleepingComputer independently confirmed the credential theft code remains active in at least one plugin as of June 16, 2026. The earliest versions appeared in October 2025; new variants were published as recently as June 10, 2026. Aikido researchers also found a paid tier that may resell keys stolen from free users. JetBrains manually reviews Marketplace submissions, but the obfuscated credential-theft logic slipped through.
What happened
Aikido Security identified a coordinated malware campaign on the JetBrains Marketplace, comprising at least 15 IDE plugins published under seven vendor accounts. The plugins function as advertised - offering AI coding assistance, commit messages, code review, and bug-finding powered by DeepSeek, OpenAI, and SiliconFlow - while silently forwarding the AI provider API key a user enters into settings to an attacker-controlled server. Together, the 15 plugins have been installed close to 70,000 times, per Aikido. BleepingComputer independently downloaded and analyzed the latest version of the DeepSeek AI Assist plugin and confirmed that the credential-theft code remains active as of June 16, 2026.
How the theft works
All 15 plugins share a similar codebase that has been renamed and repackaged for each Marketplace listing. To use any of them, a developer opens the settings panel and pastes an AI provider API key. The moment the user clicks Apply, the plugin both stores the key locally and forwards it to a hardcoded command-and-control server at 39.107.60[.]51 over plain HTTP, authenticated with a static token embedded in the plugin binary. No prompt, consent screen, or user-interface notice accompanies the exfiltration, per Aikido's code analysis. The logic specifically targets keys starting with sk- that are exactly 51 characters long.
The paid-tier resale angle
The plugins also expose a paid tier: after a user pays a small fee through an in-plugin donation wall, the attacker server sends a working API key back to the client for that user's model calls. Aikido theorizes that keys stolen from free users are redistributed to paying users, turning the campaign into a credential-resale service where the attacker collects fees on one side and free API access on the other.
Campaign timeline and scope
The earliest affected plugins appeared at the end of October 2025. New variants were published as recently as June 10, 2026. The two most-downloaded plugins are DeepSeek AI Assist (ord.cp.code.ai.kit, 27,727 downloads) and CodeGPT AI Assistant (com.my.code.tools, 25,571 downloads). Aikido cautions that download counts can be inflated and should not be treated as a reliable estimate of unique impacted developers.
What to do
Developers who installed any of the 15 affected plugins and entered an API key should rotate the affected key immediately with their AI provider. The C2 IP 39.107.60[.]51 is a network indicator of compromise. Aikido's free malware scanner covers the affected plugins. JetBrains had not publicly responded to BleepingComputer's inquiry as of publication.
Scoring Rationale
A confirmed active supply chain attack on JetBrains Marketplace targeting developer AI API keys - discovered by Aikido Security and independently verified by BleepingComputer. The ~70K install count and multi-month campaign duration make it a notable developer security incident, though narrower in scope than a widespread critical vuln in a core AI framework.
Practice interview problems based on real data
1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
