All Insights

15 Fake AI Plugins on JetBrains Marketplace Were Stealing Your API Keys. For 8 Months.

CivSafe Team·June 20, 2026·7 min read

On Monday, Aikido Security published findings that should rattle any developer who uses a JetBrains IDE: 15 plugins on the official JetBrains Marketplace were quietly stealing AI provider API keys. Every one of those plugins worked exactly as advertised. They just had one extra feature nobody consented to.

The campaign ran from October 2025 to June 10, 2026 — roughly eight months — before anyone caught it.

What happened

The plugins were straightforward to use. You install one, open the settings, paste in your OpenAI or DeepSeek API key, and click Apply. The plugin connects to the AI service, code suggestions start appearing, and everything works fine.

Except when you clicked Apply, your API key was also sent in plaintext over HTTP to a hardcoded server at 39.107.60[.]51. No TLS. No obfuscation. Just a raw HTTP POST with your credential attached.

The plugins targeted keys for OpenAI, DeepSeek, and SiliconFlow — the three API providers most popular among developers adding AI coding assistance to their existing IDE setup. If you configured a key for any of those services inside one of the affected plugins, assume that key is compromised.

The plugins

Aikido found 15 of them published under seven vendor accounts. The top two by install count:

  • DeepSeek AI Assist — 27,727 installs
  • CodeGPT AI Assistant — 25,571 installs

Others in the cluster included DeepSeek Code Review, DeepSeek Git Commit, AI Coder Review, Coding Simple Tool, and nine more — all with similar names, all with similar code, all doing the same thing. The vendor accounts (CodePilot, StackSmith, CodeCrafter, CodeWeaver, JetCode, DailyCode, ZenCoder) were fresh accounts with no legitimate publishing history.

All 15 have now been pulled from the marketplace and the associated accounts permanently banned. JetBrains also pushed a remote kill switch that disables the extensions in any running IDE when you next restart it. If you haven't restarted your JetBrains IDE in the last few days, do it now.

Why this ran for eight months undetected

The plugins were good. That's the uncomfortable part.

They didn't crash. They didn't slow things down. They didn't trigger security scans because there's no malware to detect — the theft happens through the plugin's own settings panel using a single HTTP call. The plugins delivered exactly the functionality they promised. Code suggestions worked. Git commit messages appeared. Code review comments showed up in the right places.

The only anomaly was one outbound HTTP request to a Chinese IP address every time you saved API key settings. In a world where every tool phones home to some analytics endpoint, that kind of traffic disappears into the noise.

The affected IDEs span the full JetBrains lineup: IntelliJ IDEA, PyCharm, WebStorm, PhpStorm, GoLand, Rider, RubyMine, RustRover, Android Studio. If your team builds anything — Java, Python, JavaScript, Go, PHP, Ruby, Rust, .NET — there's a good chance someone was running one of these IDEs.

What a stolen API key actually costs you

This isn't theoretical damage. A stolen OpenAI API key means someone else is running inference on your bill. Depending on what they're doing with it, we're talking anywhere from a few hundred dollars of unexpected charges to bills in the thousands before you notice. OpenAI rate limits slow down organic growth, but they don't stop someone from hammering an API key they didn't pay for.

With DeepSeek, there's a different dimension. DeepSeek's API handles data differently than US providers — questions about where inference happens and who can access conversation history are live regulatory questions right now, especially for Canadian public sector organizations and NGOs handling sensitive information. Handing an attacker your DeepSeek API key isn't just a billing problem; it's a data governance problem.

SiliconFlow is primarily used as a cheap inference gateway for open-weight models. A stolen key there gives someone access to run models on your compute budget.

What to do right now

Step 1: Restart your JetBrains IDE. JetBrains has deployed a remote kill switch. The plugins are already marked as broken on their end. When you restart, the deactivation propagates. If you're in the middle of something, finish up and restart before end of day.

Step 2: Check your AI provider billing dashboards. Log into your OpenAI, DeepSeek, and SiliconFlow accounts and look at usage from the last 30 days. Look for spikes. Look for usage patterns that don't match your team's work schedule — calls at 3am, unusually high token counts on days your team wasn't active. Flag anything suspicious before you rotate keys, so you have documentation.

Step 3: Rotate every AI API key your team uses. Revoke your existing keys and generate new ones. Yes, you'll need to update your environment files and any integrations that use them. That's less painful than unauthorized usage charges or a billing dispute with your AI provider. Do this for all providers, even ones you don't think were configured in JetBrains plugins — if one plugin had access, it's worth auditing everything.

Step 4: Audit who on your team was running JetBrains with AI plugins. Talk to your developers. If anyone installed an AI coding assistant plugin through the JetBrains Marketplace in the last eight months, they're in scope. Collect which plugins they installed and cross-reference against the Aikido findings.

Step 5: Implement a team rule about API keys in IDE plugins. This is the structural fix. Never configure a production API key in a third-party IDE plugin you haven't vetted. The attack relied on the plugin's settings panel as the collection point — if the key never goes into the plugin, the plugin can't steal it.

The pattern you should be tracking

This is the third major attack this year targeting the AI developer tooling layer specifically. In April we saw malicious extensions planted in the Open VSX marketplace targeting Cursor and Windsurf users. In May, the Miasma worm hit npm packages used in AI agent frameworks. Now JetBrains.

The common thread: developers are adding AI capabilities to their existing workflows as fast as they can, and they're doing it by installing plugins, packages, and extensions without the same scrutiny they'd give a core infrastructure dependency. A plugin with "AI" in the name that works on first install gets trusted immediately. Attackers know this.

The JetBrains attack is particularly sharp because it targeted the most trust-dense moment in the entire interaction — the moment when you enter a credential and click Apply. That's when you're least suspicious. The plugin just proved it works. You're configuring access. It feels routine.

For small dev teams: your IDE is part of your security perimeter now. Every plugin that touches API keys, credentials, or environment variables is a potential attack surface. That doesn't mean stop using plugins — it means apply the same vetting you'd give a new SaaS tool. Who built this? What permissions does it need? Does the publisher account have any history?


We regularly see this issue when auditing the developer setups of teams we work with — API keys scattered across IDE settings, env files, and plugin configurations with no centralized management. If your team is moving fast with AI tooling and security hygiene is lagging behind, we can help tighten that up without slowing anyone down. Get in touch.

CivSafe — Strategic Innovation. Community Impact.