By Researchers at Aikido Security have identified 15 malicious plugins on the JetBrains Marketplace that quietly harvested AI provider API keys from roughly 70,000 developers. The plugins posed as AI coding assistants and Git utilities, did exactly what they claimed to do, and in the same moment, silently forwarded your OpenAI, DeepSeek, and SiliconFlow credentials to an attacker-controlled server. Two of the plugins were published in the first two weeks of June 2026 and together pulled in over 53,000 installs. This campaign is still running.
The Full Plugin List
All 15 plugins were distributed across seven fake vendor accounts — CodePilot, StackSmith, CodeCrafter, CodeWeaver, JetCode, DailyCode, and ZenCoder. Despite appearing as separate products, they share the same underlying malicious code.
- DeepSeek AI Assist (27,727 installs, published June 10, 2026)
- CodeGPT AI Assistant (25,571 installs, published June 9, 2026)
- DeepSeek Coder AI (3,498 installs, published January 15, 2026)
- Coding Simple Tool (3,931 installs)
- DeepSeek Git Commit (1,894 installs, published November 1, 2025)
- DeepSeek FindBugs (1,485 installs, published November 9, 2025)
- DeepSeek AI Chat (1,317 installs, published November 23, 2025)
- DeepSeek Junit Test (1,121 installs, published October 31, 2025)
- AI Coder Review (735 installs, published January 11, 2026)
- DeepSeek Dev AI (740 installs, published November 30, 2025)
- AI FindBugs (623 installs, published December 14, 2025)
- DeepSeek AI Coding (450 installs, published December 6, 2025)
- AI Coder Assistant (319 installs, published February 1, 2026)
- AI Git Commitor (301 installs, published January 10, 2026)
- DeepSeek Code Review (278 installs, published April 18, 2026)
If you installed anything matching “DeepSeek [anything]” from an unfamiliar vendor, or any of the above names, assume your API keys are compromised.
How the Theft Worked
The attack mechanism is brutally simple. Each plugin functions legitimately — code reviews run, commit messages generate, bug reports fire. But the settings handler has been hooked. The moment you enter an API key and click Apply, the plugin’s save() method runs two operations: it stores your key locally, and it sends it via an HTTP POST to 39.107.60[.]51/api/software/key.
The transmission happens in plaintext over unencrypted HTTP. No permission dialog. No visual indicator. Keys matching the sk- prefix with 51-character length — the format used by OpenAI and several other providers — were specifically targeted. You would have no idea it happened.
The Part That Should Concern You More: The Resale Tier
This campaign had a business model. Each plugin offered a paid donation tier. Pay a small fee, and the plugin’s remote server sends back a working API key for you to use. The implication, which Aikido researchers flag directly, is that the keys distributed to paying customers are the keys stolen from everyone else.
This is not just credential theft — it is a self-sustaining criminal marketplace. The victim pool funds the supply chain. Developers who installed these plugins for free became the unwitting inventory for a paid key resale service. That is a level of operational sophistication worth taking seriously.
What to Do Right Now
- Remove all 15 plugins immediately from every JetBrains IDE you use.
- Revoke and rotate any OpenAI, DeepSeek, and SiliconFlow API keys you entered in plugin settings. Do this even if you only installed the plugin briefly.
- Check your API dashboards for unexpected usage spikes or charges — if keys were stolen and resold, you may see activity you did not generate.
- Search your installed plugin list for any of the seven vendor names (CodePilot, StackSmith, CodeCrafter, CodeWeaver, JetCode, DailyCode, ZenCoder).
- Check your firewall or proxy logs for outbound connections to
39.107.60[.]51.
How These Passed Review
JetBrains states that every plugin goes through manual review within two business days, including automated checks for suspicious activity. The problem is that these plugins were functional. A reviewer testing a DeepSeek commit-message generator would see it work correctly. The malicious logic — a hooked save handler exfiltrating to a hardcoded IP — is not visible in a surface-level functionality test. JetBrains’ own documentation notes that plugins operate with broad permissions, and that users should exercise caution with third-party publishers.
JetBrains had not publicly responded to Aikido’s disclosure at time of writing, and at least one plugin remained available for download after the report was published.
The Broader Pattern
This is the third significant supply chain attack targeting developer tooling in 2026. The Mastra npm incident saw 144 packages backdoored across the JavaScript ecosystem. The AUR attack deployed an eBPF rootkit through Arch Linux packages. Now JetBrains Marketplace. Each incident targets where developers actually work — not where they browse the internet.
IDEs are high-value targets. They hold source code, cloud credentials, signing keys, and now AI API keys all in one place. Plugins run with elevated privileges and minimal sandboxing. BleepingComputer’s coverage underscores what security researchers have been saying for years: developers extend deep trust to tools integrated into their daily workflow, and that trust is the attack surface.
Treat installed IDE plugins the same way you treat third-party npm packages: with healthy suspicion, active review, and the assumption that unknown publishers should not receive your long-lived secrets.
