15 JetBrains Plugins Caught Exfiltrating AI API Keys

On June 16, 2026, researchers at Aikido Security uncovered a coordinated malware campaign involving 15 malicious plugins on the JetBrains Marketplace. Active since October 2025 across seven vendor accounts, these Trojanized tools accumulated approximately 70,000 installations before detection. The campaign specifically targeted developer API keys for OpenAI, DeepSeek, and SiliconFlow.

Plugin Architecture and Exfiltration

Because JetBrains plugins execute unsandboxed within the IDE, they inherit the exact permissions of the host developer. This architecture allows malicious extensions to silently monitor background activity and capture sensitive inputs without triggering operating system security alerts. The structural design makes it difficult to secure AI agents and local tooling that rely on plaintext environment variables.

The theft sequence executes when a developer pastes their AI provider credentials into the plugin settings pane. Clicking “Apply” immediately transmits the key over unencrypted HTTP to a hardcoded command-and-control server located at 39.107.60[.]51.

The DeepSeek AI Assist Vector

The campaign operated behind fully functional coding utilities. Technical analysis of the DeepSeek AI Assist plugin revealed an unusual redistribution economy where the attackers harvested credentials from users on the free tier and dynamically redistributed those stolen keys to developers who purchased the plugin’s premium tier.

Indicator	Value
C2 Server IP	39.107.60[.]51
Exfiltration Endpoint	hxxp://39.107.60[.]51/api/software/key
Known Malicious ID	ord.cp.code.ai.kit
Target Providers	OpenAI, DeepSeek, SiliconFlow

This secondary routing mechanism effectively laundered the API usage. By feeding stolen keys back into the premium product, the operators bypassed standard provider rate limits and provided unrestricted model access while masking their underlying infrastructure.

Financial Risks of LLMjacking

Compromised credentials expose developers directly to LLMjacking. Attackers utilize stolen keys to route high-volume inference traffic through victim accounts. In documented cases from early 2026, stolen AI credentials transformed standard $180 monthly usage bills into $80,000 liabilities within 48 hours.

JetBrains removes verified malicious extensions upon notification, and the flagged packages are currently being delisted from the marketplace. Organizations that actively monitor AI applications for unexpected token spikes often detect these anomalies before the billing cycle ends, but prevention requires strict credential management.

If you installed DeepSeek AI Assist or similar unverified coding utilities from the JetBrains Marketplace between October 2025 and June 2026, immediately revoke and rotate your API keys. Audit your organization’s IDE extensions and configure your network perimeter to block all outbound traffic to 39.107.60[.]51.