Security firm Aikido Security has discovered malicious plug-ins in the JetBrains Marketplace that intercept API keys from AI services. According to the researchers, at least fifteen extensions are involved, which have been installed nearly 70,000 times in total.
The plug-ins presented themselves as AI assistants for developers. They offered features such as chat, code reviews, commit message generation, bug detection, and unit tests. Although the extensions did what they promised, they secretly sent entered API keys to an external server in the background.
According to Aikido Security, the extensions used virtually identical code. They appeared under different names and vendor accounts but contained the same hidden functionality. The first variants surfaced in late October 2025. New versions continued to be published as recently as June 2026, with the most recent one appearing on June 10.
To use the AI features, users had to enter an API key from services such as OpenAI, DeepSeek, or SiliconFlow. Once this was saved, the plugin automatically forwarded the key to a server controlled by the attackers.
The researchers found a hard-coded IP address in the software. The data was sent via an unsecured HTTP connection to a server that had no connection to the aforementioned AI providers.
Users were unaware of this activity. No warning or other notification appeared indicating that sensitive data was being transmitted.
Suspicious revenue model
Aikido Security also discovered a paid version. Users could gain access to AI functionality for a fee. After payment, the plug-in received an API key from the same external server and then used that key for AI requests.
According to the researchers, this is a remarkable setup. They suspect that the operators may have reused or resold stolen API keys. In that scenario, unsuspecting users provide their own keys, while paying customers gain access to those same accounts.
Aikido’s findings were confirmed by an independent analysis by BleepingComputer. That publication examined the most recent version of the DeepSeek AI Assist plugin and found the same functionality for intercepting API keys.
Notably, according to BleepingComputer, the plug-in in question was still available via the JetBrains Marketplace at the time of publication.
Developers are an attractive target
The researchers place the campaign within a broader trend of supply chain attacks targeting developers. IDEs often contain source code, cloud credentials, certificates, and other sensitive data. In recent years, API keys for AI services—which represent direct financial value—have been added to this list.
Malicious plug-ins are particularly well-positioned in this regard. They run within a trusted development environment and often gain extensive access to files and settings.
Although JetBrains employs a manual review process for new plug-ins, according to Aikido Security, this campaign demonstrates that hidden malicious functionality can still slip through the checks.
Aikido advises developers to critically review installed AI plugins and immediately replace API keys if any of the affected extensions have been in use.