Aikido Uncovers 15 JetBrains Plugins Stealing AI API Keys
Key insights
- Fifteen plugins across seven vendor accounts cleared JetBrains' manual review over eight months, each sharing identical credential-theft code.
- The save() method fires on 'Apply,' forwarding keys over unencrypted HTTP to a hardcoded attacker IP before local settings storage completes.
- Stolen keys feed a paid subscriber tier where attackers resell victim credentials, shifting AI compute costs directly onto compromised developers.
Why this matters
Summary
Potential risks and opportunities
Risks
- Developers who installed CodeGPT AI Assistant or DeepSeek AI Assist (25,000+ installs each) likely have live API keys already in circulation on the attacker's server at 39.107.60[.]51.
- OpenAI, DeepSeek, and SiliconFlow customers with compromised keys face ongoing unauthorized spend as long as the attacker's paid resale service remains operational.
- PromptSnatcher's combined 100,000-user Chrome extension footprint (Smart Adblocker at 90,000 users; Adblock for Browser at 10,000 users) exposes full AI conversation histories across Claude, Gemini, Copilot, ChatGPT, and Grok.
Opportunities
- Marketplace security vendors focused on plugin code scanning (Aikido Security, Snyk, Socket.dev) gain a concrete, high-profile incident to drive budget unlocks at enterprise IDE buyers.
- API key lifecycle management providers can position automated rotation and anomaly detection directly at affected OpenAI, DeepSeek, and SiliconFlow customers whose keys may already be compromised.
- JetBrains faces structural pressure to implement mandatory plugin code review or signed verification, creating an opening for security tooling vendors to build certification workflows around IDE marketplaces broadly.
What we don't know yet
- JetBrains removal timeline: the article does not confirm whether all 15 plugins have been taken down or when JetBrains was notified and acted.
- Total install count across all 15 plugins is not stated; only CodeGPT AI Assistant and DeepSeek AI Assist are named with 25,000+ downloads each, leaving aggregate exposure unknown.
- Whether the JetBrains plugin campaign and the PromptSnatcher Chrome extension campaign share the same operators or server infrastructure is not addressed.
What others are reporting
-
Aikido Security Read →
First-party researcher post with full technical breakdown: save() exfiltration method, hardcoded IP at 39.107.60[.]51, unencrypted HTTP transport, dual monetization model, and seven vendor accounts.
Each one exfiltrates the AI provider API key that you stored into its settings, and together they have been installed close to 70,000 times.
-
BleepingComputer Read →
Independent verification: BleepingComputer downloaded and analyzed DeepSeek AI Assist itself, confirming theft code was active post-disclosure and plugins remained available on the marketplace.
-
Infosecurity Magazine Read →
Focuses on the resale business model, framing the attacker-controlled paid tier as a credential trafficking operation that collects revenue from victims twice over.
The moment you click Apply, the settings handler stores your key and also forwards it to the attacker using the save() method.
-
Cyber Security News Read →
Adds evidence of fake reviews on plugin listings and flags that real impact likely exceeds reported download counts due to rating manipulation inflating install figures.
Behind the scenes, they were silently harvesting users' API keys.
-
Developer Tech Read →
Frames the story through a developer-to-SOC lens with enterprise governance recommendations, noting that the IDE's high-trust plugin environment is the structural enabler.
The malicious plugins exploit this high-trust environment by embedding their payload within standard configuration menus.
Originally reported by thehackernews.com
Read the original article →Original headline: 15 Malicious JetBrains Marketplace Plugins Steal AI Provider API Keys From 70,000+ Developers — DeepSeek and OpenAI Integrations Used as Cover