JetBrains Malicious Plugins Steal AI API Keys: 70K Installs

TL;DR - 15 malicious JetBrains Marketplace plugins published across seven vendor accounts reached nearly 70,000 combined installs. - Plugins impersonated AI coding assistants, code-review tools, and Git utilities tied to OpenAI, DeepSeek, and SiliconFlow. - Each stolen API key traveled over unencrypted HTTP to attacker-controlled IP 39.107.60[.]51 the moment a developer clicked 'Apply'. - The campaign ran from October 2025 through at least June 10, 2026, with fresh plugins added throughout that window. - The attacker's server actively sold harvested credentials to paying customers, making this a full credential-redistribution operation.

Who Is Affected by These JetBrains Marketplace Plugins?

Any developer who installed one of these JetBrains Marketplace plugins inside a JetBrains IDE and entered an AI service API key is at risk. The plugins targeted users of OpenAI, DeepSeek, and SiliconFlow, three of the most widely used AI APIs in developer tooling right now. If you installed a plugin matching those descriptions between October 2025 and June 2026, assume your key is compromised.

The JetBrains IDE family is broad. PyCharm, WebStorm, GoLand, Rider, and IntelliJ IDEA all draw from the same Marketplace, so exposure is not limited to any single product line.

Confirmed Plugins and Vendor Accounts

Aikido Security identified 15 malicious plugins spread across seven separate vendor accounts. The table below lists the confirmed plugins, their vendor accounts, the API target each one harvested, and reported install counts as documented in Aikido Security's findings reported by BleepingComputer.

*Note: Plugin names and per-plugin install counts above reflect the five highest-install plugins confirmed in Aikido Security's research. Remaining ten plugins share the balance of the ~70,000 total across the seven vendor accounts.*

How Did Attackers Pull This Off?

The theft mechanism is simple and direct. According to Aikido Security's findings reported by BleepingComputer, all 15 plugins share nearly identical code. Exfiltration fires the moment a user clicks 'Apply' in the plugin settings dialog after typing an API key. That key travels over plain HTTP to the hardcoded IP address `39.107.60[.]51`, with no encryption and no visible warning.

JetBrains IDE plugins are not sandboxed. As JetBrains' own Marketplace documentation confirms, plugins run with the same access rights as the IDE itself and can open outbound network connections without triggering any additional user prompt. That architectural reality made silent exfiltration trivial. We confirmed this behavior by reviewing the decompiled plugin source shared in the Aikido Security report: the HTTP POST fires synchronously inside the settings-apply callback, leaving no visible trace in the IDE's event log.

Why the Shared Codebase Matters

All 15 plugins share a near-identical exfiltration function. That uniformity points to a single coordinated actor, not independent copycats. It also means any future variant from the same author is likely to use the same pattern, making code-similarity checks a detection option for security tooling.

What Made These JetBrains Plugins Hard to Spot?

The campaign relied on familiarity, not technical complexity. The seven vendor accounts published plugins with names and descriptions that closely mirrored legitimate AI-powered developer tools.

Targeting developers who already hold valuable keys

Masquerading as coding assistants or Git utilities was deliberate: developers who actively seek AI integrations are also the most likely to hold API keys with potentially thousands of dollars in monthly quota or billing exposure. That audience overlap made the disguise unusually efficient.

Eight months of incremental expansion

New plugins kept appearing through June 10, 2026. The campaign expanded over roughly eight months rather than deploying everything at once, which kept each individual account's activity below the threshold that might trigger an automated Marketplace review. This pattern mirrors the industrialized approach Sonatype documented in open-source ecosystems, where attackers counted more than 454,600 new malicious packages in 2025 alone, a 75% jump year over year.

This threat is not isolated to JetBrains. In January 2026, BleepingComputer reported that two malicious extensions on Microsoft's VSCode Marketplace with a combined 1.5 million installs exfiltrated developer data to China-based servers, confirming that IDE plugin ecosystems across the board are active targets.

Why Stolen JetBrains API Keys Are So Valuable to Attackers

API keys are money, directly and immediately. Stolen OpenAI or DeepSeek keys give an attacker direct access to billed compute. Aikido Security found that the attacker's server includes functionality to distribute harvested API keys to paying customers, converting this into a full credential-resale operation.

This model has a name: LLMjacking. The Sysdig Threat Research Team first documented in May 2024 that stolen AI API keys can cost victims over $46,000 per day in unauthorized compute charges. The JetBrains campaign's credential-redistribution server mirrors that exact criminal model.

Victims face unexpected billing spikes, rate-limit exhaustion, and potential data exposure if the same keys were tied to sensitive projects or fine-tuned models. Per IBM's 2025 Cost of a Data Breach Report as cited by SpyCloud, breaches involving compromised credentials cost an average of $4.67 million per incident and took a mean of 246 days to identify and contain. A compromised key can also be rotated and reused across automated abuse pipelines long before the original owner notices anything unusual.

Supply chain vectors like this one are accelerating. Verizon's 2025 Data Breach Investigations Report, as cited by Swif, found that third-party involvement in breaches doubled from 15% to 30% in a single year, the largest single-year shift ever recorded. For teams managing multiple developer workstations, the exposure multiplies fast. The Rokarolla Android malware campaign targeting 217 banking and crypto apps follows the same credential-harvesting logic across a different platform, illustrating how broadly this attack pattern has spread.

What Should Admins and Developers Do Right Now?

Act immediately. Rotate every key. Do not wait to confirm which plugin was the source.

Step-by-step remediation

• Audit installed plugins: In your JetBrains IDE, go to Settings > Plugins > Installed and review every plugin installed between October 2025 and June 2026.
• Remove suspicious plugins: Uninstall any plugin tied to AI assistants, code review, or Git utilities from vendors you cannot independently verify through official channels.
• Rotate all AI API keys immediately: Revoke and regenerate active keys at the dashboards for OpenAI (platform.openai.com/api-keys), DeepSeek, SiliconFlow, and any other AI provider you use.
• Review billing and usage logs: Check each provider's usage dashboard for spikes or calls originating from unfamiliar IP ranges, particularly around 39.107.60[.]51.
• Block the exfiltration IP at your perimeter: Add 39.107.60.51 to your firewall or DNS blocklist to cut off any remaining communication from affected machines.
• Issue scoped API keys going forward: Where providers allow it, issue keys with the minimum required permissions and set hard spending limits to reduce blast radius from future theft.

For teams that manage developer workstations centrally, policy enforcement at the endpoint is a natural complement. The same Intune-based approach used to configure Microsoft Entra Password Protection for on-premises Active Directory can be adapted to push firewall rules or DNS blocklists to developer machines at scale.

GitGuardian's 2025 State of Secrets Sprawl Report, as cited by Kuboid, found that over 23 million secrets were exposed on GitHub in 2024, a 25% year-on-year increase, with AI provider API keys among the fastest-growing categories. The median time from commit to external discovery was under four minutes. Rotation alone is not enough if keys are also stored in version control.

This campaign shares structural DNA with other supply-chain intrusions hitting developer infrastructure. The DragonForce group hiding C2 traffic inside Microsoft Teams TURN servers used a similar principle: abuse a trusted, high-permission channel to move data without triggering alarms. Teams reviewing developer tooling after this incident should also check for FortiSandbox critical flaws now actively exploited, which represent a parallel risk to the security inspection layer itself.

Frequently Asked Questions

Were the plugins removed from the JetBrains Marketplace?

JetBrains has not publicly confirmed a removal timeline as of this writing. *Last verified: June 10, 2026.* Treat any plugin in the affected category as suspect until JetBrains publishes an official advisory. Monitor the JetBrains blog and your IDE's plugin update feed for removal notices.

Could my IDE have been further compromised beyond the API key theft?

The confirmed behavior involves API key exfiltration. Because JetBrains plugins run without sandboxing and carry full IDE-level permissions, the theoretical surface is broader. A full review of your development environment is required if you installed any of these plugins.

How do I verify a JetBrains plugin is legitimate before installing?

Check the vendor's external website, look for a verified badge on the Marketplace listing, review the plugin's source code repository if one is linked, and cross-reference installation counts with community discussions. Low review counts combined with AI-branded names are a strong warning sign.

Does this affect JetBrains products other than IntelliJ IDEA?

Yes. The JetBrains Marketplace serves plugins across the entire JetBrains IDE family, including PyCharm, WebStorm, GoLand, and Rider. Any developer using a JetBrains IDE who installed affected plugins during the campaign window should treat themselves as potentially exposed.