Particle.news
Get it on Google Play
Download on the App Store
4 ARTICLES
·
3h ago

Malicious JetBrains Plugins Found Stealing Developers’ AI API Keys

Researchers say the plugins send entered API keys in plaintext to an attacker server that appears to resell stolen access to paying users.

Image
Image
15 Malicious JetBrains Plugins Caught Stealing DeepSeek, OpenAI API Keys
Image

Overview

  • Aikido Security disclosed the coordinated campaign in mid‑June after finding at least 15 plugins published from October 2025 through June 10, 2026 that share the same hidden behavior.
  • The plugins capture API keys when users paste them into the extension settings and click Apply, then transmit those keys over unencrypted HTTP to a hard‑coded server at 39.107.60.51.
  • Researchers and independent analysts found the plugins otherwise work as advertised and have nearly 70,000 cumulative downloads, with DeepSeek AI Assist and CodeGPT AI Assistant the most downloaded.
  • The operation includes a paid tier that returns working API keys to paying users, which investigators say could be stolen credentials being resold for profit.
  • Security teams warn IDE extensions run with high privileges on developer machines so organizations should treat them as high risk, audit or rotate exposed keys, and monitor provider usage for unusual activity.