Fifteen coordinated malicious plugins distributed through the JetBrains Marketplace accumulated approximately 70,000 downloads over eight months while exfiltrating AI provider API keys from developers who configured them. Aikido Security researchers disclosed the campaign on June 16—17, identifying plugins spread across seven separate JetBrains Marketplace accounts that targeted credentials for OpenAI, DeepSeek, and SiliconFlow.
How 15 Plugins Persisted Across IntelliJ, PyCharm, and WebStorm for Eight Months
All 15 plugins presented themselves as legitimate developer tools — AI coding assistants, code-review utilities, and Git productivity extensions — and delivered their advertised functionality while simultaneously collecting credentials. When a developer entered an AI provider API key into a plugin’s settings dialog and clicked “Apply,” the plugin transmitted that key via HTTP to a hardcoded attacker-controlled server at IP address 39.107.60[.]51, through the endpoint /api/software/key.
The campaign ran for at least eight months before detection, covering the full range of JetBrains IDEs that share the same plugin distribution channel: IntelliJ IDEA, PyCharm, WebStorm, and their derivatives. The distribution across seven separate marketplace accounts suggests deliberate compartmentalization — spreading the plugins across multiple identities to reduce the risk that removal of one account would expose the full campaign.
DeepSeek AI Assist and CodeGPT AI Assistant: The Two Highest-Volume Credential Harvesters
The two plugins with the highest download counts were “DeepSeek AI Assist” with 27,727 downloads and “CodeGPT AI Assistant” with 25,571 downloads. Together these two accounted for the majority of the estimated 70,000 total installations across all 15 plugins.
Both plugins used the AI integration theme to their advantage: developers working AI tools into their coding workflows expect to configure API credentials within their IDE, making the settings dialog credential-capture mechanism a natural and unsuspicious interaction. A developer who installed “DeepSeek AI Assist” to accelerate code generation would have had no reason to suspect that clicking “Apply” after entering their API key simultaneously sent that key to an external server.
Why OpenAI, DeepSeek, and SiliconFlow API Keys Are High-Value Bearer Tokens
AI API keys function as bearer tokens — whoever holds the key can make API calls charged to the victim’s account, with no secondary verification required. An attacker who collected a developer’s OpenAI key could issue requests that appear identical to those from the legitimate organization: generating content, querying models, and accessing any data submitted through the API during active sessions.
Enterprise developers may have exposed more than individual API keys. IDE plugins with access to the development environment can observe code snippets, repository fragments, and completion context that developers submit to AI models during normal coding sessions. If the exfiltrated keys were used to replay or mirror those sessions, the breach extends beyond credential theft to the content of the developer’s active work.
Eight Months of IDE Marketplace Persistence Exposes a Detection Gap
The campaign’s duration — active since at least October 2025 — illustrates a detection gap that affects IDE plugin marketplaces specifically. Package managers like npm and PyPI receive substantially more automated security scrutiny than IDE plugin distribution channels, despite carrying comparable supply-chain risk. A malicious npm package transmitting credentials to an external server on install would likely trigger automated scanning within hours. A JetBrains Marketplace plugin doing the same on a settings-dialog interaction persisted for eight months without automated removal.
The distinction matters because IDE plugins occupy a privileged position in the development environment. Unlike a command-line tool or a web dependency, an IDE plugin runs persistently inside the developer’s primary work application, with access to file system paths, open editors, terminal sessions, and any credentials the developer enters through the IDE’s own settings interface. This access profile makes IDE plugins an attractive and underscrutinized vector for long-duration credential collection.
JetBrains removed the 15 identified plugins following Aikido Security’s disclosure. Developers who installed any of the identified plugins and entered AI provider credentials should treat those keys as compromised: immediate rotation of all OpenAI, DeepSeek, and SiliconFlow API keys is the primary remediation, followed by a review of API provider usage logs for anomalous call patterns indicating the keys were used after exfiltration.
