Cybersecurity researchers have flagged a "coordinated malware campaign" on the JetBrains Marketplace that has published no less than 15 malicious plugins capable of exfiltrating artificial intelligence (AI) provider keys.
"Every plugin poses as an AI coding assistant built on DeepSeek and other large language models, offering chat, commit messages, code review, bug finding, and unit tests," Aikido Security researcher Ilyas Makari said. "They function exactly as advertised. However, the AI provider API key you enter gets exfiltrated to a server controlled by the attacker."
The activity is said to have been ongoing since the end of October 2025, with new plugins released as recently as June 10, 2026. Two of the plugins, CodeGPT AI Assistant and DeepSeek AI Assist, have more than 25,000 downloads each, although it's not clear if the counts are authentic or if they have been inflated to fake their popularity.
The complete list of plugins is below -
- DeepSeek Junit Test (org.sm.yms.toolkit)
- DeepSeek Git Commit (com.json.simple.kit)
- DeepSeek FindBugs (org.bug.find.tools)
- DeepSeek AI Chat (org.translate.ai.simple)
- DeepSeek Dev AI (com.yy.test.ai.simple)
- DeepSeek AI Coding (com.dev.ai.toolkit)
- AI FindBugs (com.json.view.simple)
- AI Git Commitor (com.my.git.ai.kit)
- AI Coder Review (org.check.ai.ds)
- DeepSeek Coder AI (com.review.tool.code)
- AI Coder Assistant (org.code.assist.dev.tool)
- DeepSeek Code Review (com.coder.ai.dpt)
- CodeGPT AI Assistant (com.my.code.tools)
- DeepSeek AI Assist (ord.cp.code.ai.kit)
- Coding Simple Tool (com.dp.git.ai.tool)
Aikido Security said all 15 plugins share a similar codebase, requiring users to open the settings panel and enter an API key for an AI like OpenAI, SiliconFlow, or DeepSeek in order to carry out the promised functionality.
While the plugins work as they are intended to, they have been found to sneak in the ability to covertly siphon the provided API key to a remote server ("39.107.60[.]51") under the attacker's control over an HTTP request in plaintext format.
"The plugins also run a paid tier," the company said. "After a user pays a small fee through the donation wall built into the plugin, the server sends an API key back down to the client, and the plugin starts using that key for its model calls instead of your own, which is bizarre, since no legitimate operator would simply hand a user a working and unrestricted key to a paid AI provider."
This has raised the possibility that the operators behind the campaign are likely sharing the stolen AI provider API keys with other threat actors as part of an illicit monetization scheme, effectively turning it into a service that grants paying users access to the victim's AI provider.
"The operator collects money on one side and free credentials on the other, while the genuine key owners pay the bill," Makari added.
The campaign is further evidence of how threat actors are increasingly targeting developer environments through the open-source ecosystem, which has become a lucrative target owing to the fact that they host source code, cloud credentials, signing keys, and API keys for paid AI services that can be resold for LLMjacking schemes.
"Treat a plugin the same way you would treat any dependency that runs with your privileges, and be cautious about pasting long-lived secrets into tools you have not vetted," Aikido Security said.
Malicious Chrome Extensions Steal AI Conversations
The development coincides with the discovery of two Google Chrome ad blocker extensions that have been caught capturing users' conversations with AI chatbots like OpenAI ChatGPT, Anthropic Claude, Google Gemini, Microsoft Copilot, Perplexity, DeepSeek, xAI Grok, and Meta AI. The data collection operation has been codenamed PromptSnatcher by researcher Jean-Marie R.
The names of the extensions, which are still available on the Chrome Web Store, are as follows -
- Smart Adblocker (ID: iojpcjjdfhlcbgjnpngcmaojmlokmeii) - 90,000 users (Published in October 2022)
- Adblock for Browser (ID: jcbjcocinigpbgfpnhlpagidbmlngnnn) - 10,000 users (Published in August 2023)
"While presented as ad blockers, the extensions ship a custom-built interception engine that records non-public conversations, model usage, and account-tier metadata from every major AI platform (ChatGPT, Claude, Gemini, and others)," the researcher said. "The operation uses legitimate public filter lists (EasyList, IDCAC) as functional cover, providing genuine ad-blocking utility while running an undisclosed telemetry channel."
The fact that the two extensions have been around for several years indicates that the AI-related data exfiltration features were introduced in the form of software updates.
These types of attacks fall under a category known as Prompt Poaching. Over the past several months, browser extensions, both legitimate and malicious, have been observed adopting this method to stealthily capture users' AI chats under the pretext of enhancing Safe Browsing or providing in-depth traffic or engagement metrics. What's unclear is whether these practices violate Google's policies for browser extensions.
"The extensions intercept full AI conversation history, model usage, and subscription tier from eight platforms, and transmit this data to operator-controlled infrastructure without notification to the user beyond a generic 'Enhanced Protection' consent string," the researcher noted.
Malicious JetBrains Plugins Removed
As of June 17, 2026, JetBrains has removed the 15 third-party plugins from Marketplace, blocked the seven publisher accounts, and disabled the plugins in installed IDEs through its backend systems. It has also hardened its vetting pipelines to trigger automated code reviews for plugin handling configuration inputs resembling sensitive cloud API keys.
"Historically, our Plugin Verifier tool was architected as a compatibility and API-usage checker rather than a dedicated data-flow or anti-malware scanner," JetBrains said. "Because the core APIs used by the plugins appeared normal in isolation, individual hardcoded endpoints and custom TLS configurations were not flagged during initial ingestion."
Users who have installed or used any of the aforementioned JetBrains plugins are advised to treat any API keys entered into them as exposed and revoke them with immediate effect.
"Our independent investigation on June 19, 2026, confirmed that the attacker's C2 server remains live and actively responding to API requests – three days after JetBrains removed the plugins," StepSecurity said. "The server hosts a Chinese-language admin panel titled '信息管理平台' (Information Management Platform) with a login interface, suggesting an organized operation."
"A live C2 server means that any stolen API keys that have not yet been rotated could still be actively exploited by the attacker. It also suggests the attacker has not been disrupted beyond losing access to the JetBrains Marketplace distribution channel, and may pivot to other platforms."
(The story was updated after publication on June 26, 2026, to reflect the latest developments.)
