Overview
In June 2026, the security research team Aikido detected a batch of collaborative malicious plugins in the JetBrains plugin market, totaling 15 plugins with nearly 70,000 cumulative installations. All of them would silently leak the AI service provider’s API key to the attacker’s server at the moment when the user saved it. This batch of plugins uses large language models such as DeepSeek and OpenAI as selling points, providing common development auxiliary functions such as AI code completion, Git Commit generation, bug detection and unit testing. The appearance and function are no different from normal plugins. However, there is hidden key stealing logic inside it, and the earliest version can be traced back to October 2025. Some new versions are still being released when the incident was exposed in June 2026. Because there is room for fake downloads in the plugin market and a large number of false five-star reviews, it is difficult to accurately assess the actual scale of damage.
Attack method
All 15 plugins share the same core code base and are repackaged under different names and brands. Users enter the API key of services such as OpenAI, SiliconFlow or DeepSeek in the configuration panel. It seems to be an ordinary plugin initialization operation, but the key is forwarded to a remote server controlled by the attacker the moment it is saved. There is no pop-up prompt or authorization interface in the whole process, and the stealing behavior is completely hidden inside the normal configuration logic.
The save() method is triggered the moment the user clicks “Apply” to save the key. The code first verifies the key format (starting with sk-, 51 characters long), and then immediately calls BaseUtil.request() to send the key as a request body field to an external server. The entire process is executed synchronously in the main thread without any asynchronous delay or user perception. Attackers merge malicious logic with normally configured persistence logic in the same method, which is a key means for them to bypass code audits.
The key is sent to the hard-coded IP address (39.107.60[.]51) via a plaintext HTTP POST request, and the request header carries the static authentication Token “F48D2AA7CF341F782C1D”. Using plaintext HTTP instead of HTTPS means that traffic in the same network environment (such as corporate intranet, VPN exit) can be directly captured by intermediate devices. The C2 servers use direct IP addresses instead of domain names, which is also a common method to circumvent domain name reputation detection.
After the user pays a small fee, the C2 server will send an available key to the plugin client, and the plugin will then use the server key instead of the user’s own key to initiate AI requests. It is reasonable to assume that the keys issued are credentials stolen from other victims. Attackers have built an illegal AI service distribution system with stolen API keys as underlying assets: one side continues to harvest keys from free users, and the other side sells computing power access rights to paying users, forming a self-sufficient attack closed loop. This model operates API keys as an underground economy of circulating commodities.
High-value attack surface of IDE plugins
The developer’s IDE environment centrally stores a large number of high-value credentials, including:
- Source code and internal business logic
- Cloud service provider access key (AWS, GCP, Azure)
- Code Signing Private Key
- AI service provider API key (can be directly monetized or used for computing power consumption)
The IDE plugin runs in a highly trusted, always-on resident environment with no sandbox restrictions and complete file system and network access rights. This makes it an ideal vector for supply chain attacks. A properly functioning plugin only needs to embed a small amount of malicious logic to lurk for a long time.
Although the JetBrains plugin market has a manual review process, hidden background behavior in properly functioning plugins may still pass the review. Similar attacks have appeared in the VS Code ecosystem, with the GlassWorm activity being a typical case. The IDE plugin supply chain is becoming a continuous attack surface.
Affected Plugin List
The following plugins are all from 7 different vendor accounts, sharing the same malicious code base:
| Plugin name | Plugin ID | Downloads | Release time |
|---|---|---|---|
| DeepSeek Junit Test | org.sm.yms.toolkit | 1,121 | 2025-10-31 |
| DeepSeek Git Commit | com.json.simple.kit | 1,894 | 2025-11-01 |
| DeepSeek FindBugs | org.bug.find.tools | 1,485 | 2025-11-09 |
| DeepSeek AI Chat | org.translate.ai.simple | 1,317 | 2025-11-23 |
| DeepSeek Dev AI | com.yy.test.ai.simple | 740 | 2025-11-30 |
| DeepSeek AI Coding | com.dev.ai.toolkit | 450 | 2025-12-06 |
| AI FindBugs | com.json.view.simple | 623 | 2025-12-14 |
| AI Git Commitor | com.my.git.ai.kit | 301 | 2026-01-10 |
| AI Coder Review | org.check.ai.ds | 735 | 2026-01-11 |
| DeepSeek Coder AI | com.review.tool.code | 3,498 | 2026-01-15 |
| AI Coder Assistant | org.code.assist.dev.tool | 319 | 2026-02-01 |
| DeepSeek Code Review | com.coder.ai.dpt | 278 | 2026-04-18 |
| CodeGPT AI Assistant | com.my.code.tools | 25,571 | 2026-06-09 |
| DeepSeek AI Assist | ord.cp.code.ai.kit | 27,727 | 2026-06-10 |
| Coding Simple Tool | com.dp.git.ai.tool | 3,931 | — |
Event summary
More and more developers are introducing third-party plugins that are deeply integrated with the LLM API in their daily workflow. The opportunity seen by attackers is that AI keys have direct economic value and can be resold or used to consume computing power; while developers’ demand for “useful AI plugins” makes them tend to lower their vigilance in security assessments.
From npm package poisoning to VS Code extension attacks, and then to this JetBrains plugin incident, developer toolchain supply chain attacks have formed a continuous and active threat situation. In the context of the rapid expansion of AI tools, the security review mechanism of the plugin ecosystem and the security awareness of developers need to be upgraded simultaneously.
Reference link
[1] https://www.aikido.dev/blog/multiple-jetbrains-ide-plugins-caught-stealing-ai-keys
[2] https://thehackernews.com/2026/06/malicious-jetbrains-plugins-steal-ai.html
