How Malicious JetBrains Plugins Undermine Developer Trust in AI Tools
Developers are already wary about AI in their IDEs. On platforms like Reddit (e.g., r/JetBrains, r/programming) and Hacker News, developers frequently voice frustration with JetBrains' own AI Assistant, citing its default bundling, the difficulty of truly uninstalling it, and the lack of clear answers on data collection. When a bug even re-enables the AI plugin after an update, forcing a re-disable, it reinforces a sense of unease. User reports alleging the deletion of negative reviews for JetBrains' own AI plugin further solidify this skepticism. This context makes the recent discovery of malicious JetBrains plugins stealing AI API keys even more alarming.
So, when news breaks that at least 15 malicious plugins on the JetBrains Marketplace have been actively stealing AI API keys for months, this incident represents a significant breach of developer trust, particularly concerning AI integrations. The attack directly targeted the AI integrations many developers already scrutinize, undermining the very tools we rely on daily.
The Incident: A Coordinated Credential Grab by Malicious JetBrains Plugins
Aikido Security recently uncovered a coordinated malware campaign targeting developers using JetBrains IDEs. They found a network of at least 15 malicious plugins, published under seven different vendor accounts, that collectively totaled close to 70,000 installations. Notably, two plugins, 'DeepSeek AI Assist' and 'CodeGPT AI Assistant', accounted for a significant portion of these, with approximately 27,700 and 25,500 downloads respectively. These tools masqueraded as legitimate AI coding assistants, code-review tools, and Git utilities, blending seamlessly into the ecosystem.
The campaign started quietly, with the first malicious plugins appearing in October 2025. The latest one was published as recently as June 10, 2026, demonstrating a sustained, active effort. The targets were specific: API keys for services like OpenAI, DeepSeek, and SiliconFlow. These keys grant access to significant compute resources and, potentially, sensitive data.
The Mechanism: Deceptive Simplicity of Malicious JetBrains Plugins
The attack chain, while simple in design, proved highly effective. The plugins function exactly as advertised, providing the promised AI assistance or Git utility. This builds a false sense of security.
Upon installation of the seemingly legitimate plugin, the user navigates to its settings to input an AI API key for services such as OpenAI. Once the API key is entered into the designated field and 'Apply' is clicked to save settings, the plugin's save() method executes. This method then invokes BaseUtil.request("key", dto), initiating immediate API key transmission. The key is exfiltrated in plaintext via an HTTP POST request to a hardcoded attacker-controlled server at 39.107.60[.]51. A static token, F48D2AA7CF341F782C1D, is included in the X-Api-Key header, likely serving as the attacker's internal authentication. This method of credential exfiltration, particularly the use of hardcoded server details and plaintext transmission, aligns with common techniques observed in supply chain attacks, often categorized under MITRE ATT&CK T1552.001 'Unsecured Credentials: Credentials in Files' or T1567.002 'Exfiltration Over Web Service: Exfiltration to Cloud Storage'.
There is no user prompt, no consent screen, and no UI element hinting at this exfiltration. It simply happens. BleepingComputer independently confirmed this credential theft code in the latest version of the "DeepSeek AI Assist" plugin (a specific plugin ID), which, at the time of writing, was still available on the JetBrains Marketplace.
The theory behind the "paid tier" offered by these plugins is notable. Users could pay for a premium service, and the attacker's server would then provide an API key for AI model calls. It is hypothesized that these "premium" keys were simply the keys stolen from free users, effectively monetizing stolen credentials by reselling access to compromised compute resources. It's a functional, if illicit, business model.
The Broader Ramifications: More Than Just Financial Loss
While credential-stealing packages are more frequently observed in repositories like npm and PyPI, their appearance on the JetBrains Marketplace is less common, making this campaign particularly significant for the platform's integrity. With nearly 70,000 installations, tens of thousands of developers have potentially had their AI API keys stolen, representing the immediate impact. These keys are valuable. They can be used for unauthorized compute, leading to significant financial charges for the legitimate owner. They can also be used to access or generate data, potentially exposing sensitive information if the AI models were used in a context with proprietary code or data.
The deeper impact here is on trust. Developer machines are high-value targets, containing critical assets like source code, cloud credentials, signing keys, and increasingly, AI API keys. IDEs like those from JetBrains run plugins with full user privileges, unsandboxed. This means a malicious plugin has a wide attack surface.
The JetBrains Marketplace does have a manual review process. The fact that 15 plugins with similar, repackaged malicious code evaded detection, some remaining active for months and even being updated, undermines confidence in that review process. The issue extends beyond a few bad actors; it concerns the integrity of the platform itself.
Developers are already cautious about the opacity of some AI tools and the data they might collect. This incident validates concerns: that tools intended for assistance can be weaponized, not just through opaque vendor practices, but by direct malicious code.
Charting a Path Forward: Necessary Changes
As of now, JetBrains has not publicly responded to BleepingComputer's inquiries; this lack of communication warrants attention. When a coordinated campaign like this is uncovered, especially one that has been active for so long and affects so many users, a swift and transparent response is essential.
It is imperative that JetBrains immediately remove all identified malicious plugins and conduct a thorough audit of their marketplace. The audit should extend beyond the 15 identified plugins to uncover any others sharing similar code or tactics. They also need to communicate clearly with affected users about what happened, what data was compromised, and what steps users should take. Beyond that, the incident highlights a need for stronger security controls within the marketplace itself. A manual review process is good, but it's clearly not enough to catch sophisticated, or even simply persistent, malicious actors. This calls for enhanced static and dynamic analysis. Automated tools should improve their capability to detect obfuscated or repackaged malicious code. Furthermore, behavioral monitoring is crucial. Plugins should be observed for suspicious network activity or file system access that deviates from their stated purpose. While full sandboxing could impact plugin functionality, exploring methods to limit plugin privileges, particularly for network access, is vital. Finally, transparency and accountability are paramount. JetBrains should be more open about their review process and how they manage reports of malicious plugins. The perception of deleted negative reviews only exacerbates the erosion of trust.
This incident demonstrates that the convenience of third-party integrations carries significant risk. For developers, this requires a heightened level of scrutiny. Only install plugins from trusted sources, and maintain skepticism even then. Understand what permissions a plugin requests and what network activity it might perform.
The JetBrains Marketplace, like any software repository, is a key component of the developer ecosystem. Its security is fundamental. This campaign signifies a fundamental breach of trust, extending beyond merely stolen API keys, which JetBrains needs to address directly, with greater transparency than observed to date.
