70,000 Installs Expose JetBrains Plugins' AI API Key Heist

Malicious JetBrains plugins show that AI credential theft has moved into the developer’s workspace, not just the production stack. At least 15 JetBrains Marketplace plugins were designed to steal AI API keys from developers, according to BleepingComputer, which cited research from Aikido Security and independently confirmed theft code in one plugin.

The campaign matters because the target was not a cloud console, a database, or a CI/CD pipeline. It was the IDE, where developers increasingly paste credentials into tools that promise faster coding, code review, Git commits, and AI assistance. XOOMAR analysis: that makes the incident a supply-chain attack at the software creation layer, with AI keys as the prize.

"At least 15 IDE plugins, published under seven vendor accounts, share the same hidden behavior. Each one exfiltrates the AI provider API key that you stored into its settings, and together they have been installed close to 70,000 times."

Malicious JetBrains plugins turned AI coding convenience into a credential trap

The core trick was simple: the plugins worked well enough to look legitimate, while quietly stealing the credentials users gave them. Aikido said the plugins presented themselves as AI coding assistants, code-review tools, and Git utilities tied to services including OpenAI, DeepSeek, and SiliconFlow.

That matters more than the raw plugin count. A single malicious package can be dismissed as a rogue upload. A batch of 15 plugins across seven vendor accounts points to repeatable abuse of trust, naming, distribution, and review processes inside a developer marketplace.

The strongest counterpoint is that the reporting does not show these plugins stealing every secret on a machine. The described theft is narrower: a user enters an AI API key into plugin settings, clicks "Apply", and the plugin sends that key away. That limit matters.

Still, the thesis holds. A malicious tool does not need full endpoint takeover if developers voluntarily paste high-value credentials into it. The trust boundary has already been crossed.

The JetBrains Marketplace campaign had a clear timeline and a hardcoded exfiltration path

Aikido said the malicious plugins were first published in October 2025, with new plugins still being published as recently as June 10, 2026. BleepingComputer reported that the stolen credentials were sent to a hardcoded server at 39.107.60[.]51 over HTTP, using the URL hxxp://39.107.60[.]51/api/software/key.

BleepingComputer also downloaded and analyzed the latest version of DeepSeek AI Assist (plugin ID: ord.cp.code.ai.kit) and said it independently confirmed that the credential theft code described by Aikido was still present. At the time of publication, that plugin remained available through the JetBrains Marketplace. JetBrains had not responded to BleepingComputer by publication.

The download numbers should be handled carefully. Aikido warned that counts can be manipulated and should not be treated as unique installations. Even so, the figures show these plugins were not sitting unnoticed in a dead corner of the marketplace.

The paid tier makes the AI key theft look even stranger

The most unusual detail is the reported paid tier. Aikido found functionality that allowed the remote server to send AI API keys back down to paying users. The researchers said it was unclear where those keys came from, but theorized that operators may have harvested credentials from free users and then provided them to paid users.

"The plugins also run a paid tier. After a user pays a small fee through the donation wall built into the plugin, the server sends an API key back down to the client, and the plugin starts using that key for its model calls instead of your own, which is bizarre, since no legitimate operator would simply hand a user a working and unrestricted key to a paid AI provider," says Aikido.

That claim is not proof of credential resale. The source does not establish the origin of the keys delivered to paid users. But the architecture described by Aikido is enough to raise a sharper question: why would a legitimate plugin operator distribute working AI provider keys through its own server at all?

XOOMAR analysis: the paid-tier behavior turns this from simple credential theft into a possible credential circulation scheme. The evidence supplied does not prove the full business model, but it does show a system built to collect keys and also hand keys back out.

The malicious plugin list shows a naming strategy built around AI trust

The campaign leaned heavily on names that sound useful to developers already experimenting with AI coding tools. Many included DeepSeek, AI, Coder, Code Review, or Git language.

The plugins identified by Aikido were:

• DeepSeek Junit Test (org.sm.yms.toolkit)
• DeepSeek Git Commit (com.json.simple.kit)
• DeepSeek FindBugs (org.bug.find.tools)
• DeepSeek AI Chat (org.translate.ai.simple)
• DeepSeek Dev AI (com.yy.test.ai.simple)
• DeepSeek AI Coding (com.dev.ai.toolkit)
• AI FindBugs (com.json.view.simple)
• AI Git Commitor (com.my.git.ai.kit)
• AI Coder Review (org.check.ai.ds)
• DeepSeek Coder AI (com.review.tool.code)
• AI Coder Assistant (org.code.assist.dev.tool)
• DeepSeek Code Review (com.coder.ai.dpt)
• CodeGPT AI Assistant (com.my.code.tools)
• DeepSeek AI Assist (ord.cp.code.ai.kit)
• Coding Simple Tool (com.dp.git.ai.tool)

The names are not incidental. They sit exactly where developer demand is hottest: AI-assisted coding, review, tests, and commits. The strongest counterpoint is that useful plugins often have generic names too, so name patterns alone prove nothing. But when many similarly themed plugins share hidden behavior and similar code, the naming strategy becomes part of the attack surface.

JetBrains was not the only trust layer in this incident

Developers install plugins because plugins save time. That is the honest starting point. Blaming individual developers for trusting a marketplace tool misses the structural issue: modern engineering workflows depend on third-party extensions, and AI plugins often require credentials to work.

Marketplace operators sit at the next layer. In this case, BleepingComputer reported that the plugins were still an issue at publication time and that JetBrains had not responded by then. The source does not say what JetBrains’ internal review process did or did not catch, so any stronger claim would overreach.

AI providers are another layer, but the reporting does not say OpenAI, DeepSeek, or SiliconFlow were compromised. Their names appear because the plugins were marketed around services such as those providers. XOOMAR analysis: for providers, the incident highlights the importance of customer-side controls that reduce the damage when a key is copied into the wrong tool, but this campaign is reported as a plugin marketplace compromise, not a provider breach.

Security teams face the hardest tradeoff. They can’t pretend AI coding tools don’t exist, and blanket bans often fail when engineers need working tools. A better response starts with visibility: which IDE plugins are installed, which ones accept secrets, which publishers are approved, and which AI keys are active.

Engineering teams should treat IDE plugins as part of the secret-management perimeter

The practical response is clear enough, even with open questions. Teams that use JetBrains IDEs and AI coding plugins should inventory installed extensions, compare them against the reported plugin names, and remove anything suspicious or unused. If any of the listed plugins were installed, rotate affected AI API keys and review usage logs for unexpected model calls.

Security teams should also look at where AI keys live. The source specifically describes keys being entered into plugin settings and stolen when users clicked "Apply". That makes local tool configuration a real secret-management surface, not an afterthought.

Useful controls here are boring, which is usually a good sign:

• Plugin inventory: Know which JetBrains Marketplace plugins are installed across developer machines.
• Publisher review: Verify plugin publisher identity before allowing tools that request AI keys.
• Key rotation: Replace AI API keys that were stored in affected plugin settings.
• Usage review: Check AI provider logs and billing records for unexplained activity.
• Developer telemetry: Look for suspicious plugins and unexpected outbound traffic from IDE processes.

None of this proves whether stolen keys were used after exfiltration. The source does not provide that evidence. But waiting for confirmed misuse is a poor standard when credentials have already left the machine over HTTP.

AI credential theft will keep testing IDE marketplace trust

BleepingComputer noted that malicious packages are commonly found on npm and PyPI, while reports of credential-stealing plugins on the JetBrains Marketplace are far less common. That contrast is the signal. Attackers have long gone where developers fetch code. Now they are probing where developers write code.

The next evidence to watch is straightforward: JetBrains’ response, takedown timing, whether more related plugins appear, and whether researchers connect the hardcoded server to broader credential use. Evidence that stolen keys were redistributed to paid users would strengthen the most serious interpretation of this campaign. Evidence that the server-supplied keys came from another legitimate source would weaken it.

AI-assisted development will not slow because of one marketplace incident. But malicious JetBrains plugins have shown that the IDE itself is now a credential-risk surface. If marketplaces and engineering teams treat AI plugins as harmless productivity add-ons, the next campaign may not stop at stealing keys.

Impact Analysis

• The attack moved credential theft into developers’ IDEs, where AI tools are increasingly trusted.
• At least 15 plugins across seven vendor accounts suggest repeatable abuse of marketplace trust.
• Stolen AI API keys can expose organizations to unauthorized usage and broader development workflow risk.