A significant security breach has been identified within the JetBrains Marketplace, where at least 15 malicious plugins have been discovered covertly exfiltrating developers’ AI service API keys. These plugins, collectively downloaded over 70,000 times, were presented as legitimate AI-powered coding assistants, offering functionalities such as AI chat, code generation, bug detection, commit message creation, and unit test writing.
Upon installation, these plugins appeared to function as advertised, effectively delivering the promised features. However, unbeknownst to users, they were simultaneously harvesting sensitive API keys. The plugins required developers to input API keys for services like OpenAI, DeepSeek, or SiliconFlow. Once entered and applied, the plugins immediately captured and transmitted these keys to a hardcoded command-and-control server at 39.107.60[.]51 via an unencrypted HTTP POST request, exposing the credentials to potential interception and misuse.
Further complicating the issue, some of these plugins offered a paid tier. After users made a payment, the plugin received a new API key from the attacker-controlled server and began using it instead of the user’s original key. This suggests a potential resale scheme, where stolen API keys from victims are redistributed to paying users, allowing attackers to monetize both the stolen credentials and the paid subscriptions while shifting operational costs to unsuspecting victims.
The campaign dates back to October 2025, with new malicious plugins continuing to appear as recently as June 2026. The actual impact may be higher than reported, as download counts can be manipulated, and fake positive reviews were observed on plugin listings.
Integrated Development Environments (IDEs) are increasingly targeted in supply chain attacks due to their access to highly sensitive data, including source code, credentials, signing keys, and AI service API keys. Plugins typically run with high privileges and are trusted by developers, making them an ideal vector for stealthy attacks. Even with JetBrains’ manual review process, small hidden malicious functions can evade detection.
Indicators of Compromise (IOCs) include the command-and-control server at 39.107.60[.]51 and the following affected plugins:
- DeepSeek Junit Test (`org.sm.yms.toolkit`) – 1,121 downloads
- DeepSeek Git Commit (`com.json.simple.kit`) – 1,894 downloads
- DeepSeek FindBugs (`org.bug.find.tools`) – 1,485 downloads
- DeepSeek AI Chat (`org.translate.ai.simple`) – 1,317 downloads
- DeepSeek Dev AI (`com.yy.test.ai.simple`) – 740 downloads
- DeepSeek AI Coding (`com.dev.ai.toolkit`) – 450 downloads
- AI FindBugs (`com.json.view.simple`) – 623 downloads
- AI Git Commitor (`com.my.git.ai.kit`) – 301 downloads
- AI Coder Review (`org.check.ai.ds`) – 735 downloads
This incident underscores the critical need for developers to exercise caution when installing plugins, even from reputable marketplaces. Regular audits of installed plugins, monitoring for unusual network activity, and adhering to the principle of least privilege can help mitigate the risks associated with such supply chain attacks. Additionally, developers should consider using dedicated API keys with limited permissions and regularly rotating them to minimize potential damage from compromised credentials.
