Fifteen malicious plugins in the JetBrains IDE Marketplace spent eight months stealing AI provider API keys from developers. The plugins impersonated legitimate AI coding assistants built on DeepSeek and OpenAI, accumulating approximately 70,000 installs before removal. The campaign ran from October 2025 through at least June 10, 2026.
If you installed any AI-integrated plugin in IntelliJ IDEA, PyCharm, GoLand, or any other JetBrains IDE over the past eight months, rotate your AI API keys immediately. This article explains why that matters more than it might seem.
How the plugins worked
Each plugin functioned as advertised. You got code suggestions, commit message generation, and chat completions. The attack was silent: when you entered an API key and clicked Apply in the plugin's settings panel, the key was exfiltrated to a hardcoded attacker-controlled server before any local storage took place.
The two highest-volume plugins, CodeGPT AI Assistant and DeepSeek AI Assist, each exceeded 25,000 downloads. Some plugins offered a paid tier. Researchers found evidence suggesting the paid tier redistributed stolen API keys to paying customers, creating a secondary market where the attacker monetized stolen credentials twice: once by selling access and once by using the stolen compute.
JetBrains has removed the plugins. The attacker infrastructure that received the keys is not publicly confirmed to be offline.
Why an AI API key is more valuable than it looks
Most developers treat an API key as an access credential for a specific service. For AI provider keys, that framing underestimates the exposure:
- Compute access at victim cost: the attacker can run inference at your expense. Industrial-scale use of a stolen OpenAI or DeepSeek key can generate charges in the thousands before rate limiting or billing alerts trigger.
- Prompt and context exfiltration: any application that sends prompts to the AI provider using the stolen key also sends the prompt content. In many development environments, prompts contain proprietary code, internal architecture documentation, customer data, and business logic. The attacker sees all of it.
- Downstream pipeline injection: if your application reads model output into automated processes (code generation, document processing, workflow automation), a compromised key gives an attacker an indirect injection path into those processes.
- Resale market: stolen AI keys are actively traded in credential markets. A valid OpenAI key with high remaining quota has measurable market value.
AI API keys should be treated with the same operational discipline as AWS access keys or database connection strings. They are not low-value credentials.
The broader supply chain pattern
This is the third major AI API key theft campaign in Q2 2026. The others: Hugging Face model hub typosquats (malicious model packages that executed on load and exfiltrated environment variables including AI keys), and GitHub Actions OIDC token theft redirected toward AI provider credentials in compromised CI/CD pipelines.
The pattern is consistent: attackers are systematically targeting the AI integration layer of developer workflows. The IDE plugin ecosystem, the model hub ecosystem, and the CI/CD pipeline ecosystem are all attack surfaces where AI credentials touch the system.
This is not coincidental. AI provider API keys are now as operationally valuable as cloud provider credentials. They provide compute at victim cost, contextual access to organizational data through prompts, and increasingly, pathways into automated processes that act on model output.
What to do
- Rotate any AI provider API keys (OpenAI, Anthropic, DeepSeek, SiliconFlow, Google AI) that were configured in JetBrains IDE settings in the last eight months.
- Review API key usage logs in your provider dashboard for anomalous activity: unusual request volumes, unfamiliar models, off-hours activity.
- Implement API key monitoring with spending alerts. Most AI providers offer usage caps and billing notifications. Set them low enough to catch anomalous usage within hours.
- Audit your organization's AI API key inventory. Treat any key that was ever stored in a JetBrains plugin as compromised.
- For future plugin selection: prefer plugins from official provider sources (OpenAI's own plugin, JetBrains AI Assistant) over third-party AI integrations. Verify publisher identity before entering any credential.
- In your CI/CD pipelines, ensure AI provider keys are stored in secrets management (AWS Secrets Manager, HashiCorp Vault, GitHub Encrypted Secrets) rather than in environment variables accessible to plugin processes.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you have questions about AI credential security or supply chain risk assessment for your development environment.