A cluster of 15 malicious JetBrains Marketplace plugins disguised as AI coding assistants has been caught quietly stealing developers’ AI provider API keys — including OpenAI, DeepSeek, and SiliconFlow credentials — and shipping them to a hard-coded, attacker-controlled server. Collectively the plugins were installed nearly 70,000 times, making this one of the more successful developer-supply-chain campaigns of the year. The first fakes appeared at the end of October 2025, and new ones were still being published as recently as June 2026.

The genius and the menace of the campaign are the same thing: the plugins actually worked. Victims got functioning AI tooling and never had a reason to look closer.

Real features, hidden theft

The malicious plugins weren’t hollow shells. They delivered genuine, useful functionality — code reviews, automated git commit messages, unit-test generation — wrapped around a small payload whose only job was to grab the user’s AI authentication credentials and exfiltrate them. Because the developer experience was legitimate, the malicious behavior generated no obvious symptoms. The key you pasted in to enable “your” AI assistant was the key being stolen.

The two most-downloaded entries tell the story:

  • DeepSeek AI Assist (ord.cp.code.ai.kit) — 27,727 downloads
  • CodeGPT AI Assistant (com.my.code.tools) — 25,571 downloads

Across the full set, the operators used seven different seller accounts to publish and republish the plugins, a deliberate redundancy that let the campaign survive individual takedowns and keep shipping new versions for eight months.

The resale twist

The most elegant part of the scheme is also the most cynical. Researchers at Aikido concluded that the keys handed to paying users of these plugins may well be the keys stolen from everyone else — turning the operation into a service that resells other people’s stolen AI access. In other words, the campaign is potentially self-funding: steal API keys from free users, then monetize those same keys by renting them out, with the original owners footing the inference bill.

For a stolen OpenAI or DeepSeek key, the cost lands squarely on the victim. API keys are bearer tokens — whoever holds one can spend against the owner’s account until it’s revoked. That means runaway inference charges, quota exhaustion, and access to whatever data and fine-tuned models the key was scoped to reach.

Why developer tooling is the soft underbelly

IDE plugin marketplaces sit in a trust gap. Developers install extensions with broad local privileges, rarely audit their code, and assume marketplace presence implies vetting. AI coding assistants make the target richer still: the whole point of the plugin is to handle high-value API credentials, so the malware doesn’t even need to go hunting — the user hands the secret over as part of normal setup.

This is the same supply-chain logic that drives malicious npm, PyPI, and VS Code extension campaigns, now aimed at the AI-tooling gold rush. Where developers go and credentials concentrate, attackers follow.

What developers and teams should do

  • Audit installed JetBrains plugins and remove anything matching the named IDs or any AI assistant of uncertain provenance.
  • Rotate every AI provider API key that was ever entered into a third-party plugin — OpenAI, DeepSeek, SiliconFlow, and others. Assume exposure if you can’t rule it out.
  • Scope and cap keys. Use per-project keys, set hard spend limits, and restrict permissions so a stolen token has a small blast radius.
  • Prefer first-party or well-known vendors for AI tooling, and treat download count as marketing, not a safety signal.
  • Monitor provider billing and usage dashboards for anomalous spend — often the first and only sign a key has been pirated.

The takeaway

The fastest-growing category in developer tooling is now a credential-harvesting target, and “it works fine” is exactly what a good supply-chain implant is supposed to look like. If you’ve installed an AI coding assistant from a marketplace and pasted a provider key into it, the safe assumption is that the key is gone — rotate it today.

Sources