Security researchers identified a coordinated malware campaign within the JetBrains Marketplace designed to exfiltrate developer API keys.
The operation targets software engineering teams incorporating AI models into daily production workflows. Investigative data from Aikido Security identifies fifteen individual integrated development environment plugins containing identical data exfiltration routines.
Published under seven distinct vendor accounts – including profiles named CodePilot, StackSmith, and ZenCoder – these tools amassed nearly 70,000 combined installations. The malicious applications masquerade as standard coding assistants powered by language models from OpenAI, SiliconFlow, and DeepSeek.
Platform engineering departments deploy these types of AI tools to accelerate delivery timelines. The affected plugins provide chat interfaces, commit message generation, automated code reviews, and unit testing capabilities.
The advertised functions perform exactly as described, masking the underlying credential theft and allowing the software to bypass initial user suspicion. Initial versions of the malicious software appeared in late October 2025, with new variants continuing to bypass marketplace review processes through June 2026.
Bypassing endpoint controls
Corporate security architectures monitoring outbound network traffic face distinct tracking challenges on developer workstations. Engineers require administrative privileges to compile code, execute local virtual machines, and test system integrations. The malicious JetBrains plugins exploit this high-trust environment by embedding their payload within standard configuration menus.
Users must provide a provider API key to activate the AI model integrations. The credential theft occurs instantaneously upon entry. The settings handler captures the input string and transmits it to an external server via a standard save method. This execution requires no explicit user prompt or consent screen.
The application codebase validates the input string length to ensure it hits exactly 51 characters and checks for specific prefix formats before executing a POST request to a hardcoded external destination. The destination server, located at 39.107.60.51, receives the credentials via unencrypted HTTP connections.
The traffic authentication relies on a static token embedded within the plugin architecture. The captured string travels in plaintext to an address possessing no affiliation with any recognised cloud service provider. Enterprise data loss prevention tools struggle to identify this activity because the key transmission mirrors normal background synchronisation tasks.
Quantifying non-human identity risks
The exploitation of API keys in this campaign highlights a broader vulnerability pattern across enterprise environments.
Empirical metrics from Sophos in their ‘The State of Identity Security 2026’ report show that identity-related breaches affect 71 percent of organisations globally. Within the technology and telecoms sector, 63.1 percent of companies reported successful identity compromises over the past 12 months.
The data classifies API keys, tokens, and service accounts as non-human identities. The management of these credentials represents a primary security weakness, contributing to 40.6 percent of all documented identity breaches. Threat actors leverage automated scanning and compromised tools to intercept non-human credentials because these assets frequently lack strict monitoring.
The Sophos study demonstrates that breaches involving weak non-human identity management cost an average of $1,784,541 to rectify. This represents a nine percent premium, or nearly $150,000 more than the global average identity remediation cost of $1,637,363.
Security operations centres in the UK experience a 65.3 percent identity breach rate, but maintain the lowest detection failure rate globally at 7.1 percent, highlighting the value of structured asset visibility.
Commercialising stolen compute resources
IT departments struggle to trace anomalous cloud billing spikes back to individual developer workstations. This malware operation weaponises stolen credentials to power a parallel shadow service. The malicious plugins include a premium tier requiring users to process a financial transaction through an integrated donation system.
Upon receiving payment, the external server transmits a functional API key back to the client software. The local plugin overrides any user-provided keys and routes subsequent model requests through this server-supplied credential. No legitimate commercial operator distributes unrestricted, functional access tokens directly to end-users in this manner.
Aikido researchers indicate the operators harvest valid keys from free users to subsidise the operations of their paying customer base. This infrastructure creates an automated marketplace for stolen compute resources.
Organisations bearing the cost of the compromised keys effectively fund the underlying operational overhead of the threat actors. The operator collects financial payments from one user cohort while extracting unauthorised credentials from another.
The identity to ransomware delivery pipeline
The exfiltration of local secrets serves as an entry point for broader infrastructure attacks. Security teams often treat local credential theft as an isolated workstation issue, ignoring the downstream risk of lateral network traversal.
Sophos incident telemetry establishes a correlation here, revealing that 66.5 percent of ransomware victims identified their primary identity breach as the exact mechanism that facilitated the subsequent ransomware execution.
Stolen tokens provide the initial access vectors required to compromise broader cloud environments. Once threat actors secure valid authentication keys, they map out accessible databases, source code repositories, and integrated production pipelines. The presence of unmonitored credentials allows attackers to navigate internal systems without triggering traditional signature-based endpoint defenses.
Unchecked access leads directly to data theft and extortion. Organisations unable to intercept identity attacks face severe operational disruptions, with 48.8 percent experiencing data theft and 48.4 percent suffering complete ransomware deployment.
The financial consequences extend beyond basic infrastructure repair to include direct extortion demands, which occurred in 43.9 percent of successful identity compromises.
Enforcing workstation dependency governance
Security operations centres require continuous visibility into the specific packages executing across internal workstations. Enterprise device protection platforms establish centralised governance over browser extensions, IDE add-ons, and local build dependencies.
Intercepting execution commands at the package manager level prevents the initial installation of compromised software. Open-source monitoring utilities integrate directly into local engineering workflows. The integration intercepts native commands executed via npm, npx, yarn, pnpm, and pnpx directly at the terminal level. These tools validate installation requests against centralised threat intelligence databases before allowing execution.
Reviewing internal dependency consumption prevents external threat actors from gaining a foothold within the corporate perimeter. Identifying the compromised plugins – including variants like CodeGPT AI Assistant with 25,571 downloads and DeepSeek AI Assist with 27,727 downloads – requires automated registry scanning.
Current baseline hygiene remains low, as only 11.1 percent of organisations continually rotate or audit service accounts and non-human credentials, leaving long-lived tokens exposed indefinitely. Engineering departments must ensure they revoke exposed AI provider credentials without delay and audit external model request logs for unauthorised geographical or volume-based usage anomalies.
See also: AI agent breaches Fedora software supply chain
Want to learn more about cybersecurity from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is part of TechEx and is co-located with other leading technology events including the AI & Big Data Expo. Click here for more information.
Developer is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.
