Researchers at Aikido Security have uncovered 15 malicious AI coding plugins on the JetBrains Marketplace that secretly steal AI provider API keys, highlighting growing supply-chain risks across developer and open-source ecosystems.
A coordinated malware campaign targeting the developer and open-source ecosystem has exposed at least 15 malicious AI coding plugins on the JetBrains Marketplace that secretly steal AI provider credentials while delivering the functionality users expect.
Discovered by Aikido Security, the plugins masquerade as AI coding assistants built on DeepSeek and other large language models, offering features such as AI chat, code review, bug detection, commit message generation and unit test creation. However, they covertly exfiltrate AI provider API keys entered by users.
“Every plugin poses as an AI coding assistant built on DeepSeek and other large language models, offering chat, commit messages, code review, bug finding, and unit tests. They function exactly as advertised. However, the AI provider API key you enter gets exfiltrated to a server controlled by the attacker,” said Ilyas Makari, Researcher at Aikido Security.
The campaign has reportedly been active since late October 2025, with new malicious plugins published as recently as 10 June 2026. Two plugins — CodeGPT AI Assistant and DeepSeek AI Assist — reportedly exceeded 25,000 downloads each, although researchers noted the figures may have been artificially inflated.
According to Aikido Security, stolen credentials are transmitted via plaintext HTTP requests to an attacker-controlled server at 39.107.60[.]51.
Researchers also uncovered a monetisation scheme in which users who pay for premium access receive API keys from the operators. “The operator collects money on one side and free credentials on the other, while the genuine key owners pay the bill,” Makari said.
Aikido Security warned that the campaign demonstrates how attackers are increasingly targeting developer environments, software supply chains and open-source ecosystems to harvest source code, cloud credentials, signing keys and AI service API keys.
