JetBrains has removed 15 malicious third-party plugins from its Marketplace after security researchers found that the extensions posed as AI coding tools while stealing developer API keys.
The company said on June 18 that it received reports on June 16 about an AI API key theft campaign involving plugins hosted on JetBrains Marketplace. The affected tools presented themselves as AI assistants, code reviewers, Git helpers, bug-finding utilities, or unit-test generators, but secretly harvested AI provider credentials that developers entered into their settings.
JetBrains says all 15 flagged plugins have now been purged from Marketplace, the seven publisher accounts tied to the campaign have been terminated, and the affected extensions have been marked as broken in JetBrains’ backend so they are remotely disabled inside users’ IDEs after the next relaunch. The company also says it found no compromise of JetBrains source code, development environments, or core corporate infrastructure.
How the plugins stole AI keys
The campaign was first detailed by Aikido Security, which reported that the plugins shared similar hidden code despite being packaged under different names and vendors. The plugins asked users to paste API keys for services such as OpenAI, DeepSeek, or SiliconFlow, a routine-looking step for third-party AI tools that need to call a model on the user’s behalf.
The malicious behavior triggered when a developer clicked Apply after entering a key. Aikido found that the plugins forwarded matching credentials to a hardcoded server at 39.107.60[.]51 over plain HTTP. JetBrains’ technical analysis added another important detail: the plugins silently installed a JVM-wide trust manager that disabled normal TLS warnings for unsigned or self-signed certificates, a move designed to make suspicious network behavior less visible to local tooling.
The plugins were not crude fakes. They generally performed the AI coding tasks they advertised, which made the theft harder to notice. Aikido also found a paid-tier mechanism in which the remote server could hand an API key back to the plugin for paying users. The researchers described that as a possible sign that stolen keys from one group of users may have been redistributed to another, though that part remains an inference rather than a confirmed billing trail.
BleepingComputer reported that it independently analyzed the latest DeepSeek AI Assist plugin and confirmed the credential-theft behavior described by Aikido. At the time of BleepingComputer’s June 16 report, that plugin was still available through Marketplace. JetBrains’ later disclosure says the plugin set has since been removed and blocked.
The affected JetBrains Marketplace plugins
JetBrains and Aikido named the following plugins as covered by the incident:
- DeepSeek Junit Test (
org.sm.yms.toolkit) - DeepSeek Git Commit (
com.json.simple.kit) - DeepSeek FindBugs (
org.bug.find.tools) - DeepSeek AI Chat (
org.translate.ai.simple) - DeepSeek Dev AI (
com.yy.test.ai.simple) - DeepSeek AI Coding (
com.dev.ai.toolkit) - AI FindBugs (
com.json.view.simple) - AI Git Commitor (
com.my.git.ai.kit) - AI Coder Review (
org.check.ai.ds) - DeepSeek Coder AI (
com.review.tool.code) - AI Coder Assistant (
org.code.assist.dev.tool) - DeepSeek Code Review (
com.coder.ai.dpt) - CodeGPT AI Assistant (
com.my.code.tools) - DeepSeek AI Assist (
ord.cp.code.ai.kit) - Coding Simple Tool (
com.dp.git.ai.tool)
Aikido estimated that the plugins had accumulated close to 70,000 installs, with CodeGPT AI Assistant and DeepSeek AI Assist accounting for more than 25,000 downloads each. The researchers cautioned that marketplace download counts can be inflated and should not be treated as a precise count of affected developers.
What developers should do now
Anyone who installed or configured one of the named plugins before June 17 should treat any API key entered into it as exposed. Removing the plugin is not enough, because the key may already have been copied off the machine.
The highest-priority step is to revoke and reissue affected credentials through the relevant provider console, whether that is OpenAI, DeepSeek, SiliconFlow, a compatible endpoint, or another AI service. Developers and team admins should also inspect provider usage dashboards for unusual spend, unfamiliar requests, sudden traffic spikes, or activity associated with 39.107.60[.]51.
JetBrains also recommends checking the IDE plugin manager under Settings > Plugins > Installed, manually removing untrusted AI assistants or Git add-ons, blocking outbound traffic to the known malicious IP at the firewall or DNS layer, and scanning repositories for exposed credentials. Teams should prefer narrowly scoped keys, spending caps, and provider-level restrictions when future AI tools require credential access.
Why this is a bigger IDE security warning
The incident shows why AI coding tools have changed the risk profile of developer workstations. IDE plugins often run inside trusted local environments with access to source code, project files, terminals, build settings, and now paid AI service keys. A malicious extension does not need to compromise a package registry or production server to become costly. It can wait inside a tool developers use all day and steal a credential the moment it is saved.
JetBrains’ own AI Assistant documentation shows why the setup path can feel normal: current JetBrains IDEs support third-party providers including Anthropic, Gemini, Google Vertex AI, OpenAI, OpenAI-compatible endpoints, LM Studio, and Ollama, with API keys entered directly in settings for supported providers. That flexibility is useful, but it also makes credential-handling behavior in third-party plugins a security boundary that teams can no longer treat casually.
JetBrains points developers toward the Agent Client Protocol registry as one safer direction for AI tools because it standardizes communication between editors and agents rather than relying on traditional unsandboxed plugins with custom execution paths. That will not eliminate plugin risk, but it reflects the direction developer tooling is moving: AI assistants need tighter interfaces, less implicit trust, and credentials that are easier to revoke when the next marketplace incident appears.
