.jpg)
Security researchers have uncovered a coordinated campaign designed to steal developers’ AI-related API keys via malicious plugins.
Aikido Security found at least 15 integrated development environment (IDE) plugins on the JetBrains Marketplace which had slipped past security checks and have now been installed around 70,000 times.
They apparently date back to October 2025, with the most recent plugins released in June 2026.
“Every plugin poses as an AI coding assistant built on DeepSeek and other large language models, offering chat, commit messages, code review, bug finding, and unit tests,” said Aikido.
“They function exactly as advertised. However, the AI provider API key you enter gets exfiltrated to a server controlled by the attacker.”
Aikido explained that all the malicious plugins it has found so far share a similar underlying codebase. They have names like “DeepSeek Git Commit” and “AI Coder Review.”
“To use any of them, you open the settings panel and paste in an API key for a provider such as OpenAI, SiliconFlow, or DeepSeek. The plugin needs that key to call the model on your behalf, so handing it over feels routine,” the report explained.
“The moment you click Apply, the settings handler stores your key and also forwards it to the attacker using the save() method. The call fires immediately on key entry, with no prompt, no consent screen, and no mention anywhere in the user interface.”
What’s the End Goal?
It’s not clear what the aim of the campaign is, although API keys connecting to paid AI services could be resold or used for compute.
Aikido suggested the first scenario may be applicable here, given that the plugins feature a paid tier. After the user pays a small fee via the donation wall built into the plugin, they apparently receive an API key from the server with which to make free calls to the relevant model.
Aikido hypothesized that these could be API keys exfiltrated from victims, turning the campaign into a service effectively reselling stolen API access
“The operator collects money on one side and free credentials on the other, while the genuine key owners pay the bill,” it added.
The report claimed that IDEs are an increasingly popular target for threat actors, given that they’re trusted, left open all day by developers, and provide access to a wealth of source code, cloud credentials, signing keys, and API keys.
Aikido shared the relevant IoCs in its blog post.
.jpeg)
