Over eight months from October 2025 to June 2026, attackers operated a coordinated credential theft campaign through the JetBrains Marketplace, distributing 15 malicious plugins that posed as legitimate AI coding assistants and Git utilities. The plugins worked exactly as advertised, providing real AI coding features, while silently exfiltrating AI provider API keys the moment developers entered them into settings. Nearly 70,000 installations later, the campaign was uncovered by Aikido Security. The stolen keys were not just discarded: the operation included a paid tier through which attackers redistributed stolen credentials to paying customers, turning the campaign into a self-funding credential resale business targeting LLM API keys for OpenAI, Anthropic, DeepSeek, and SiliconFlow.
What Happened
The JetBrains Marketplace is the official plugin registry for IntelliJ IDEA, PyCharm, WebStorm, and the broader JetBrains IDE family, used by millions of professional developers globally. Third-party plugins must pass a review and approval process before being listed.
Beginning in late October 2025, attackers began publishing malicious plugins through seven separate vendor accounts. The plugins posed as AI coding assistants, code reviewers, Git commit helpers, bug finders, and unit test generators — precisely the tools developers were adopting as AI-augmented coding workflows became mainstream. The plugins functioned as described, lowering any suspicion that something was wrong.
The malicious functionality was embedded in the settings handler. When a developer entered an AI provider API key — OpenAI, Anthropic, DeepSeek, or SiliconFlow and clicked Apply, the plugin silently transmitted the credential via HTTP to a hardcoded attacker-controlled server at 39.107.60.51. No consent screen appeared. No notification was shown. The theft happened in a single moment, invisible to the developer.
The campaign operated continuously for approximately eight months. The two most downloaded plugins were DeepSeek AI Assist (27,727 downloads) and CodeGPT AI Assistant (25,571 downloads), though total confirmed downloads across all 15 plugins approached 70,000 installations.
The timeline:
- Late October 2025: First malicious plugins appear on JetBrains Marketplace
- June 10, 2026: New malicious plugin variants still being published
- June 16, 2026: JetBrains receives security reports from Aikido Security
- June 17, 2026: All 15 plugins purged from JetBrains Marketplace, 7 publisher accounts permanently banned, remote kill-switch triggered to disable affected plugins in all installed IDEs
How It Happened
The campaign exploited a trust model that developer tooling ecosystems have not yet adapted to the AI era: developers trust marketplace plugins as a category, and AI coding tools in particular have become a normalised installation in professional development environments.
The attack mechanism was technically minimal. The settings handler captured the API key string as the user typed it and transmitted it via a plain HTTP POST to the attacker’s server the moment the user clicked Apply. The plugin’s functional AI features continued to work normally, using keys the attacker’s server would supply to paid users. There was no visible indicator that the credential had been stolen.
The monetisation model is what distinguishes this campaign from ordinary credential theft. The attacker’s server offered a paid tier: for a small fee, users received a working AI provider API key. Researchers assess those keys were stolen credentials from free-tier victims. The campaign was economically self-sustaining: free users provided the credential inventory, paid users provided revenue, and the victim organisations subsidised the AI compute costs.
Attackers also leveraged the Miasma and Hades worms during the same period. StepSecurity research linked the JetBrains campaign tradecraft to a broader pattern of AI developer tooling credential theft. Microsoft’s concurrent analysis of the Mastra npm attack and the Axios compromise shows a strategic convergence: multiple threat actors are now targeting AI developer credential surfaces simultaneously, through different vectors.
Impact
The 15 plugins accumulated nearly 70,000 combined installations. Every developer who entered an OpenAI, Anthropic, DeepSeek, or SiliconFlow API key into any of the affected plugins should treat that key as compromised, regardless of whether anomalous usage has been detected.
The stolen credential classes are high-value: a working OpenAI API key with a substantial usage limit can represent thousands of dollars in monthly AI compute, and underground markets have developed specifically to trade stolen LLM API keys. The Cloud Security Alliance assessed that IDE plugin ecosystems have become a primary attack surface for AI credential theft, noting that supply chain integrity controls have not been extended to these environments.
BleepingComputer independently confirmed that the latest version of one affected plugin – DeepSeek AI Assist, still contained active credential theft code at time of publication. JetBrains’ remote kill-switch mechanism, which triggers on the next IDE restart, provided mitigation after disclosure but did not address keys already stolen during the eight-month operation window.
What This Means for NHI Governance
AI provider API keys are non-human identities. They are machine credentials that authenticate programmatically, without human involvement, on every API call. They carry spending authority, data access authority, and in enterprise environments, access to proprietary training data, private models, and production AI infrastructure.
The JetBrains campaign illustrates a new class of NHI credential theft that the security community needs to treat as a first-order threat:
IDE plugin ecosystems are NHI credential surfaces. Developers routinely configure AI provider keys, cloud credentials, database connection strings, and deployment tokens in IDE settings and environment variables. Malicious IDE plugins have direct access to every credential a developer stores or types in that environment. That is an exceptionally privileged position.
AI API keys are treated as low-sensitivity by default. Most organisations have rigorous controls over AWS IAM credentials and Entra ID service principals. Very few have equivalent controls over OpenAI API keys, Anthropic API keys, or other LLM provider credentials. Those keys may have access to proprietary data, cost substantial money, and in agentic AI deployments may carry tool-use permissions that extend far beyond text generation. They need the same governance as any other privileged credential.
Functional malware is harder to detect than broken malware. These plugins worked. The AI features they advertised delivered real results. A developer installing a plugin that immediately broke or behaved strangely would notice and uninstall it. A developer whose plugin continued to function normally while silently sending their API key to a server in Beijing had no signal to act on for months.
Recommendations
- Revoke and rotate all AI provider API keys entered into any of the 15 identified plugins immediately. Keys for OpenAI, Anthropic, DeepSeek, and SiliconFlow should be revoked through their respective provider dashboards. Disable old keys before rotating to prevent continued abuse.
- Block outbound traffic to 39.107.60.51 at the network perimeter.
- Audit all installed JetBrains plugins. Review every installed plugin against the list published by Aikido Security. Remove any plugin from unknown publishers or with unexplained access to network calls in their settings handlers.
- Monitor AI provider API key usage for anomalous patterns. Unusual spend spikes, access from unexpected IP addresses, or model calls at unusual hours are indicators of credential theft in use.
- Treat AI provider API keys as privileged NHI credentials. Implement the same governance applied to cloud IAM credentials: scoped permissions, rotation schedules, usage monitoring, and immediate revocation on suspected compromise.
- Require behavioural review before approving new IDE plugins in enterprise environments. Static code scanning alone is insufficient. Plugins that make outbound network calls from settings handlers warrant specific scrutiny.
How NHI Mgmt Group Can Help
Securing Non-Human Identities (NHIs) including AI Agents, is becoming increasingly crucial as attackers discover and target service accounts, API keys, tokens, secrets, and OAuth credentials during breaches. These NHIs often hold extensive permissions that can be exploited, making their security a priority for any organisation focused on protecting their digital assets.
Take our NHI Foundation Level Training Course, the most comprehensive in the industry, that will empower you and your organisation with the knowledge needed to manage and secure these non-human identities effectively.
Final Thoughts
The JetBrains Marketplace AI plugin campaign ran for eight months. It worked because the plugins functioned. It persisted because there was no anomaly signal. And it scaled because AI developer credentials, LLM API keys, cloud tokens, CI/CD secrets, have become a recognised commodity with active underground markets and, in the case of this campaign, a customer-facing storefront.
The transition from AI tools as experiments to AI tools as production infrastructure has moved faster than the security governance frameworks that should accompany it. Every AI provider API key in your organisation is a non-human identity. It needs an owner, a scope, a rotation schedule, and anomaly monitoring. The eight-month operation window of this campaign is the cost of not having those controls in place.
