How 15 fake AI plugins turned the JetBrains Marketplace into a credential buffet

I spent an hour yesterday morning auditing the extension list on my local IDE. It is a tedious task that most developers skip because we treat our development environments like a private sanctuary. We assume that if a tool exists on an official marketplace like JetBrains, it has passed a level of scrutiny that makes it safe. This assumption is a dangerous misconfiguration in our mental model of security. We spend millions of dollars on enterprise firewalls and endpoint detection systems, yet a single developer looking to automate a unit test can bypass every layer of defense with one click.

Security researchers at Aikido Security recently identified a coordinated malware campaign that exploits this exact blind spot. The campaign involves 15 malicious plugins hosted on the JetBrains Marketplace. These tools masquerade as AI-powered coding assistants, promising to generate commit messages, conduct code reviews, and find bugs. While they perform these tasks as advertised, they also function as a silent pipeline for credential theft. From an end-user perspective, the plugin looks like a productivity booster. Behind the scenes, it is an exfiltration engine for your most sensitive AI provider keys.

The anatomy of the JetBrains marketplace campaign

The campaign has been active since late 2025 and continued to push new malicious updates into mid-2026. The attackers leveraged the massive surge in demand for DeepSeek and other large language model integrations. By naming their plugins after popular AI tools, they successfully tricked thousands of users. Two specific plugins, CodeGPT AI Assistant and DeepSeek AI Assist, managed to rack up over 25,000 downloads each. Whether these numbers are organic or inflated by bot activity is secondary to the fact that they remained available for months.

The list of identified malicious plugins includes:

• DeepSeek Junit Test (org.sm.yms.toolkit)
• DeepSeek Git Commit (com.json.simple.kit)
• DeepSeek FindBugs (org.bug.find.tools)
• DeepSeek AI Chat (org.translate.ai.simple)
• DeepSeek Dev AI (com.yy.test.ai.simple)
• DeepSeek AI Coding (com.dev.ai.toolkit)
• AI FindBugs (com.json.view.simple)
• AI Git Commitor (com.my.git.ai.kit)
• AI Coder Review (org.check.ai.ds)
• DeepSeek Coder AI (com.review.tool.code)
• AI Coder Assistant (org.code.assist.dev.tool)
• DeepSeek Code Review (com.coder.ai.dpt)
• CodeGPT AI Assistant (com.my.code.tools)
• DeepSeek AI Assist (ord.cp.code.ai.kit)
• Coding Simple Tool (com.dp.git.ai.tool)

These plugins share a nearly identical codebase. To use them, you must provide an API key for services like OpenAI, SiliconFlow, or DeepSeek. Once you enter your key into the settings panel, the plugin transmits it to a remote server located at 39.107.60[.]51. The exfiltration occurs over a standard HTTP request in plaintext. This choice of protocol is particularly bold because it lacks even basic encryption, making the theft visible to anyone monitoring the network traffic.

The bizarre economics of stolen API keys

There is a peculiar monetization strategy embedded in these plugins. The attackers included a donation wall or a paid tier within the software. When a user pays a small fee, the server sends a different, functional API key back to the client. The plugin then uses this new key for its model calls. This behavior is a red flag for any forensic analyst. A legitimate software provider does not hand out unrestricted, paid API keys for a third-party service in exchange for a small donation.

This cycle suggests the operators are running a credential-sharing ring. They steal keys from one group of victims and sell access to those same keys to another group. This turns the victims into the unwitting financiers of the attackers' business model. Proactively speaking, this is a form of LLMjacking. The genuine key owners pay the monthly usage bills while the attackers collect pure profit from the donation fees. This scheme highlights why developers are such high-value targets. A compromised IDE contains more than just source code. It contains the keys to the cloud infrastructure and the financial pipelines of the entire company.

PromptSnatcher and the exploitation of browser trust

While the JetBrains incident targets the backend of the development process, a second campaign named PromptSnatcher targets the user interface. Security researcher Jean-Marie R. discovered two Google Chrome extensions that capture private conversations with AI chatbots. These extensions, Smart Adblocker and Adblock for Browser, have a combined user base of over 100,000 people. They functioned as legitimate ad blockers for years before the developers introduced data-stealing features via software updates.

The extensions use an interception engine to record every interaction you have with ChatGPT, Claude, Gemini, Copilot, and Meta AI. They collect the full conversation history, the specific model used, and your account subscription tier. This data goes to an attacker-controlled server without your knowledge. The operators hide this activity under the guise of an "Enhanced Protection" consent string. From an architectural level, these extensions are a classic digital Trojan horse. They provide a useful service—blocking ads—to justify their presence in your browser while they harvest your intellectual property.

The risks of prompt poaching in the enterprise

This trend of stealing AI interactions is known as prompt poaching. It is a systemic threat to corporate confidentiality. When a developer asks an AI to debug a proprietary algorithm or a legal team asks for a summary of a non-disclosure agreement, that data is highly sensitive. If a malicious extension captures that prompt, the company loses control over its intellectual property.

Unlike traditional malware that seeks to encrypt files or steal banking logins, prompt poaching is a more granular form of corporate espionage. The stolen data is often unstructured but extremely valuable. It provides insights into a company's internal projects, its technical vulnerabilities, and its strategic direction. These extensions are pervasive because they rely on the user's desire for a cleaner browsing experience. Many users grant these tools broad permissions to read and change data on all websites, which is exactly what the interception engine needs to function.

Practical steps to sanitize your development workflow

If your IDE or browser is a VIP club, your plugins are the bouncers. You should never let a bouncer in without a thorough background check. To defend against these types of supply chain attacks, you must move toward a zero-trust model for your development environment. Patching your OS is a baseline requirement, but it does not protect you from a malicious plugin that you voluntarily installed.

Start by auditing every plugin in your IDE. If you have any of the 15 DeepSeek-related plugins listed above, remove them immediately. After removal, you must assume your API keys are compromised. Rotate every key you have ever entered into those tools. Monitoring your billing statements for unusual spikes in AI usage is another reactive measure, but it is better to prevent the leak at the source.

For browser security, follow the principle of least privilege. Do not use ad blockers that require access to "all websites" if you also use that browser for sensitive work. Use a dedicated, hardened browser for interacting with AI chatbots and cloud consoles. This separation of duties prevents a malicious extension in your primary browser from seeing what you do in your secure sessions. Finally, use a secret management tool to handle API keys instead of pasting them into plugin settings panels whenever possible. Treat every third-party tool as a potential vulnerability until you have verified its behavior through network monitoring or code review.

Key takeaways for security leaders

• Audit IDE marketplaces: Do not assume that availability on JetBrains or the Chrome Web Store equals safety.
• Rotate keys after plugin removal: Deleting the malware does not invalidate the stolen credentials.
• Implement network egress filtering: Blocking plaintext HTTP requests to unknown IP addresses can stop many basic exfiltration attempts.
• Enforce browser isolation: Use separate profiles or browsers for sensitive AI interactions to limit the reach of malicious extensions.
• Monitor API usage: Set strict spending limits on AI provider accounts to mitigate the financial impact of LLMjacking.

Sources: Aikido Security Research, Chrome Web Store Metadata, NIST Cybersecurity Framework (Supply Chain Risk Management), MITRE ATT&CK (T1553.004: Install Root Certificate/Subvert Trust Policy).

Disclaimer: This article is for informational and educational purposes only and does not replace a professional cybersecurity audit or incident response service.