Tuesday, July 14, 2026

News

Fake AI Plugins on JetBrains Marketplace Stole API Keys for Eight Months

CodingPatryk Raba
Fot. Tima Miroshnichenko, Pexels (Pexels License)

Fifteen plugins impersonating AI coding assistants racked up roughly 70,000 installs on the JetBrains Marketplace before researchers traced a scheme stealing OpenAI, DeepSeek, and SiliconFlow API keys. Separately, two Chrome extensions were caught eavesdropping on users' chatbot conversations.

Contents
  1. How the attack worked
  2. Scale of the campaign
  3. A double revenue stream
  4. Browser eavesdropping
  5. What happens next

Fifteen plugins posing as AI coding assistants operated in the official JetBrains Marketplace for eight months before security researchers uncovered a scheme to steal API keys. At the same time, two seemingly harmless Chrome browser extensions were eavesdropping on users' conversations with chatbots like ChatGPT and Claude.

How the attack worked

The plugins marketed themselves as coding assistants built on DeepSeek and other large language models, offering chat, commit message generation, code review, bug finding, and unit test writing. They worked exactly as advertised, which lulled developers who installed them from the official store into a false sense of security.

The trouble started the moment a user pasted their own API key into the plugin's configuration. Instead of staying local, the key was sent over an unencrypted HTTP connection to a hardcoded server address controlled by the attackers.

The key was quietly exfiltrated over an unencrypted HTTP connection to a hardcoded command-and-control server at 39.107.60.51 - Ilyas Makari, researcher at Aikido Security

Scale of the campaign

According to StepSecurity's analysis, the campaign began on October 31, 2025 and accelerated sharply in June 2026, right before it was detected. In total, fifteen plugins spread across seven publisher accounts gathered about 70,000 installs over eight months, with the two most popular listings alone, CodeGPT AI Assistant and DeepSeek AI Assist, accounting for more than 53,000 downloads.

The command-and-control server, identified as 39.107.60.51, ran on Alibaba Cloud infrastructure in Beijing and had an admin panel labeled in Chinese as an information management platform. The malicious code specifically targeted API keys matching the formats used by OpenAI, DeepSeek, and SiliconFlow, recognizing strings starting with sk- that were 51 characters long.

A double revenue stream

Some of the plugins also exploited an in-app donation system. Users paid for supposedly premium feature access, and in return the attackers' server would send them a working API key, most likely one stolen earlier from a different victim. The operator effectively earned twice over, charging some users fees while harvesting free credentials from others.

Browser eavesdropping

Separately from the JetBrains Marketplace campaign, researchers described an operation called PromptSnatcher, in which two Chrome extensions disguised as ad blockers, Smart Adblocker and Adblock for Browser, captured full conversation histories from eight AI platforms. The extensions logged not just the content of chats with ChatGPT, Claude, Gemini, Copilot, Perplexity, DeepSeek, Grok, and Meta AI, but also metadata about which model was used and the subscription tier, sending everything to servers controlled by the operator without clear notice to users beyond a vague consent to enhanced protection.

The extensions contain a custom-built interception engine that logs private conversations - from findings by researcher Jean-Marie R.

What happens next

After being notified by Aikido Security, JetBrains removed all fifteen plugins, banned seven publisher accounts, and remotely disabled them in development environments where they were already installed. The company also acknowledged that its existing Plugin Verifier tool was designed mainly to check API compatibility and usage patterns rather than to detect malicious data-stealing code, and announced it would tighten the review process for published plugins.

Any developer who entered an OpenAI, DeepSeek, or SiliconFlow API key into one of the listed plugins should treat that credential as compromised, revoke it immediately, and generate a new one. The same goes for users of the Chrome extensions mentioned above, who should uninstall them and check their conversation history for exposed data.

The case also concerns Polish development teams, for whom JetBrains tools like IntelliJ IDEA, PyCharm, and WebStorm are among the most widely used work environments. As the push to integrate AI tools directly into code editors accelerates, so does the room for abuse, and a plugin store's official status does not automatically guarantee protection against malware posing as popular coding-assistant features.

Sources: Malicious JetBrains Plugins Steal AI API Keys as Chrome Extensions Capture Chatbot Chats (thehackernews.com), 15 Malicious JetBrains Plugins Stole AI API Keys from 70,000 Developers (stepsecurity.io)

Share: