Aikido Security uncovered a coordinated campaign on the JetBrains Marketplace in which at least 15 plugins posed as AI coding and development tools while secretly stealing developers’ AI provider API keys. The plugins have been installed nearly 70,000 times and include items such as DeepSeek AI Assist and CodeGPT AI Assistant, with stolen keys sent to a hardcoded server. #JetBrainsMarketplace #AikidoSecurity #DeepSeekAIAssist #CodeGPTAIAssistant
Keypoints
- At least 15 JetBrains Marketplace plugins were linked to a coordinated credential-stealing campaign.
- The plugins disguised themselves as AI assistants, code-review tools, and Git utilities.
- They exfiltrated AI API keys entered into plugin settings after users clicked Apply.
- The stolen credentials were sent over HTTP to a hardcoded server at 39.107.60[.]51.
- DeepSeek AI Assist and CodeGPT AI Assistant were the two most downloaded malicious plugins.