15 Malicious JetBrains Plugins Caught Stealing DeepSeek, OpenAI API Keys
15 malicious JetBrains plugins posing as AI assistants steal API keys from developers.
Summary
Cybercriminals deployed 15 fake AI coding assistant plugins on the JetBrains Marketplace between October 2025 and June 2026, collectively downloaded nearly 70,000 times. The malicious extensions hook into IDE save functions to exfiltrate OpenAI, DeepSeek, and SiliconFlow API keys over unencrypted HTTP to attacker-controlled C2 servers. The attackers also monetized the scheme by reselling stolen API keys back to users through in-app donation prompts.
Full text
Security Cyber Attacks Malware15 Malicious JetBrains Plugins Caught Stealing DeepSeek, OpenAI API Keys Hackers are using 15 malicious JetBrains plugins posing as AI coding assistants to steal DeepSeek, OpenAI, and other developer API keys. byDeeba AhmedJune 17, 20262 minute read Cybercriminals are using fake artificial intelligence (AI) tools to target software developers in a coordinated supply chain attack on the JetBrains Marketplace. The compromise was first discovered by the Code security firm Aikido Security, which found 15 published plugins designed as AI coding assistants built on large language models (LLMs) like DeepSeek. The first fake plugins came out at the end of October 2025, and new ones dropped as recently as June 2026. Scammers used seven different seller accounts to publish them. Collectively, people downloaded these malicious plugins nearly 70,000 times. Some of the most downloaded plugins are called CodeGPT AI Assistant and DeepSeek AI Assist. The hackers also added fake five-star reviews to make the tools look safe. Like similar campaigns, this one’s modus operandi includes installing extensions and exfiltrating the user’s private AI authentication credentials to a static, hard-coded server controlled by attackers. The Infiltration Method The malicious code was structured into otherwise fully functional software offering genuine features like code reviews, automated git commit messages, and unit tests. The infiltration is designed so that it seems like a routine setup process where developers paste an OpenAI, SiliconFlow, or DeepSeek API key into the settings interface. According to researchers, the software hooks into the save function of the Integrated Development Environments (IDEs), which are the main software applications where developers write code. The exact moment a user applies their changes, the extension transmits the authentication data in plaintext over an unencrypted HTTP connection later sent to the attackers’ C2 server. This transmission happens silently in the background with no permission prompts or visual indicators. A Monetised Secondary Tier Aikido researchers explained in the blog post shared with Hackread.com that the threat actors also integrated a monetized secondary tier. Users who chose to pay a small fee through an in-app donation prompt received a functional, unrestricted AI key sent back from the malicious server. “The keys handed to paying users may well be the keys stolen from everyone else, turning the campaign into a service that resells other people’s stolen API access.” This architectural model allows the operators to steal free developer credentials on one side while generating direct revenue on the other, leaving the original credential owners to fund the unauthorised compute usage. This research highlights a key fact that hackers nowadays like targeting IDEs. IDE plugins possess high privileges and lack sandbox restrictions on developer workstations, which is why they become a high-value entry point for stealing source code, cloud credentials, and API access. Similar techniques were observed in late 2025 during the GlassWorm malware campaign, which successfully compromised the Visual Studio Code system. Since IDE plugins run directly on sensitive engineering workstations, researchers advise developers to treat marketplace extensions with the same level of caution as any third-party code dependency. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts AICyber AttackCybersecurityDeepSeekDevelopersJetBrainsMalwareOpenAIScam Leave a Reply Cancel reply View Comments (0) Related Posts Censorship Cyber Events News Privacy Security Surveillance Curious Case of M. Yousefi: How Iran Traps its Facebook users with “Black Spider” Program A 27-year-old graduate student Mohammad Yousefi, was sent to prison in Iran as part of a crackdown on social… byWaqas Phishing Scam Scams and Fraud Security BBB CEO Falls for Dropbox Phishing Scam, Sends Out Malware Emails In May 2015, we reported an alert to be careful of a Dropbox phishing scam, but it seems not… byPushpa Mishra Microsoft Security Unpatched Microsoft Exchange servers hit with ProxyShell attack Researchers have identified 140+ webshells launched against 1,900 unpatched Microsoft Exchange servers. byWaqas Read More Security Crypto Malware Scams and Fraud Scammers Use Fake Ledger App on Microsoft Store to Steal $800,000 in Crypto After a surge of malware on the Google Play Store, is Microsoft also failing to properly vet apps for malware? byDeeba Ahmed
Indicators of Compromise
- malware — CodeGPT AI Assistant
- malware — DeepSeek AI Assist
- malware — GlassWorm