Malicious JetBrains Plugins: 15 Found Stealing AI API Keys

Security researchers have uncovered a coordinated attack campaign built around malicious JetBrains plugins that quietly steal AI provider API keys — and the operation has been running largely undetected since late October 2025. If you’re a developer who’s installed any AI coding assistant from the JetBrains Marketplace in the past eight months, it’s time to audit your credentials.

• Malicious JetBrains plugins disguised as AI coding assistants have stolen API keys from developers since October 2025.
• Fifteen malicious JetBrains plugins were identified, with two boasting over 25,000 downloads each on the Marketplace.
• A separate Chrome extension campaign called PromptSnatcher is secretly recording full AI chatbot conversations across eight major platforms.
• Stolen API keys appear to be resold in LLMjacking schemes, letting attackers profit from victims’ paid AI accounts.

How the Malicious JetBrains Plugins Work

Researchers at Aikido Security identified 15 malicious JetBrains plugins across the Marketplace, all sharing a nearly identical codebase and a consistent strategy: impersonate a legitimate AI coding tool, then quietly drain any API key the user hands over. Aikido researcher Ilyas Makari described the setup bluntly — the plugins ‘function exactly as advertised,’ delivering chat, code review, commit message generation, unit tests, and bug detection. But the moment you enter your OpenAI, SiliconFlow, or DeepSeek key in the settings panel, it’s transmitted in plaintext over HTTP to a remote server at IP address 39.107.60[.]51.

That’s not a clumsy mistake. Sending credentials in plaintext, rather than encrypted HTTPS, means the key is trivially interceptable anywhere along the network path — not just by the attacker’s server, but by anyone watching traffic in between. It’s hard to read that as anything other than deliberate. Each of these malicious JetBrains plugins was engineered to exfiltrate credentials silently, with no error, warning, or indication to the user that anything unusual had occurred.

The plugin names were crafted to look credible in a marketplace crowded with genuine AI tools. Names like DeepSeek AI Assist, CodeGPT AI Assistant, and AI Coder Review ride the wave of developer enthusiasm around DeepSeek and large language models. Two of them — CodeGPT AI Assistant and DeepSeek AI Assist — had more than 25,000 downloads each, though Aikido flagged the possibility those numbers were artificially inflated to manufacture legitimacy. The full list of affected plugins includes:

• DeepSeek Junit Test
• DeepSeek Git Commit
• DeepSeek FindBugs
• DeepSeek AI Chat
• DeepSeek Dev AI
• DeepSeek AI Coding
• AI FindBugs
• AI Git Commitor
• AI Coder Review
• DeepSeek Coder AI
• AI Coder Assistant
• DeepSeek Code Review
• CodeGPT AI Assistant
• DeepSeek AI Assist
• Coding Simple Tool

The Monetisation Scheme Behind the Campaign

What makes this campaign particularly cynical is its built-in business model. The malicious JetBrains plugins don’t just steal credentials and disappear — they run a ‘paid tier’ through a donation wall embedded in the plugin interface. When a user pays a small fee, the attacker’s server sends back a working API key. From the user’s perspective, they’ve just purchased access to an AI service. In reality, they’ve been handed a stolen credential belonging to someone else.

Makari put it plainly: ‘The operator collects money on one side and free credentials on the other, while the genuine key owners pay the bill.’ It’s an elegantly parasitic loop — victims generate the keys, attackers harvest them, and paying customers consume them. The genuine account holders are left with unexpected charges and no idea why their API usage has spiked.

This feeds directly into what the security industry calls LLMjacking — the practice of using stolen AI provider credentials to access paid services without authorisation. As AI API costs have climbed with broader adoption, stolen keys have become a genuine commodity. A working OpenAI API key with a high usage limit is worth real money, and underground markets have emerged to trade them. This campaign appears to have built the theft and redistribution into a single, self-sustaining product. The malicious JetBrains plugins serve as the collection mechanism at one end, while the donation-wall storefront handles monetisation at the other.

A Broader Attack on the Developer Ecosystem

The campaign isn’t an isolated incident — it’s part of a growing pattern of attacks that treat developer tooling as a high-value attack surface. Developers are attractive targets for obvious reasons: their machines host source code, cloud credentials, signing keys, and — increasingly — API keys for paid AI services. The open-source and marketplace ecosystem has made it easier than ever to inject malicious code into tools that run with elevated privileges on a developer’s system.

We’ve seen similar tactics play out through npm, PyPI, and GitHub Actions. The malicious JetBrains plugins follow the same playbook, but they’re targeting a more specific and lucrative class of credential. Unlike a compromised npm package that might exfiltrate environment variables, these malicious JetBrains plugins were designed from the ground up to intercept AI credentials specifically — a sign that attackers are paying close attention to where developers store value.

Aikido’s advice cuts to the core of the problem: ‘Treat a plugin the same way you would treat any dependency that runs with your privileges, and be cautious about pasting long-lived secrets into tools you have not vetted.’ That’s good counsel, but it also highlights a systemic issue: marketplace vetting processes at JetBrains — and frankly across most developer tool platforms — aren’t catching this kind of threat before it reaches users. If a campaign involving malicious JetBrains plugins can run for eight months and rack up tens of thousands of installs, the pre-publication review process needs a harder look.

PromptSnatcher: Chrome Extensions Stealing Your AI Conversations

Separately, researcher Jean-Marie R. has uncovered a second campaign targeting a different kind of AI-adjacent data — your actual conversations with chatbots. Dubbed PromptSnatcher, the operation centres on two Chrome extensions that present themselves as ad blockers while secretly recording everything you type into ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, DeepSeek, xAI Grok, and Meta AI.

The extensions — Smart Adblocker (90,000 users) and Adblock for Browser (10,000 users) — were both published years ago, in 2022 and 2023 respectively. That longevity matters. Extensions with a long publishing history tend to attract less scrutiny from users and potentially from Google’s own review processes. The AI-harvesting capability wasn’t there from day one; it was likely slipped in through a subsequent update, a technique that sidesteps initial vetting and exploits the trust users have already extended to a tool they’ve been using for years.

What’s being captured goes well beyond the actual text of conversations. According to the researcher, the extensions intercept ‘full AI conversation history, model usage, and subscription tier’ across all eight platforms. That last detail — subscription tier — is telling. Knowing whether a user is on a free or paid tier helps an attacker gauge the value of their account and potentially target premium users for follow-on attacks. The data is transmitted to operator-controlled infrastructure, and the only disclosure users receive is a vague ‘Enhanced Protection’ consent string buried in the extension’s terms.

Both extensions remain on the Chrome Web Store at time of writing. Whether they violate Google’s published extension policies is, somewhat astonishingly, still unclear — a grey area that probably warrants a definitive answer from Google given the scale of data collection involved.

What Developers and AI Users Should Do Right Now

If you’ve installed any of the 15 flagged malicious JetBrains plugins from the Marketplace, the immediate step is to revoke and regenerate any AI provider API keys you’ve entered into those tools. Don’t assume rotating the key is sufficient if you haven’t also removed the plugin — it will just steal the new one. Check your OpenAI, DeepSeek, and SiliconFlow billing dashboards for unexpected usage spikes, which could indicate your key has already been put to work.

For Chrome users, both PromptSnatcher extensions are still live. Removing Smart Adblocker and Adblock for Browser is prudent if you use any of the eight targeted AI platforms. There’s no reliable way to know how much conversation data has already been collected, which makes this more of a damage-limitation exercise than a clean fix.

The deeper lesson here is structural. As AI API keys become as sensitive as cloud credentials, they need to be treated with the same rigour — stored in secrets managers, scoped as narrowly as possible, rotated regularly, and never pasted into third-party tools that haven’t been independently vetted. The malicious JetBrains plugins uncovered by Aikido are a clear signal that attackers understand the value of what they’re after. The question is whether the developer community — and the platforms that serve it — will catch up fast enough to matter.

Source: The Hacker News

Frequently Asked Questions