Malicious JetBrains Plugins Exfiltrate AI API Keys as Chrome Extensions Capture User Conversations

Cybersecurity researchers have identified a significant threat within the JetBrains Marketplace, revealing a coordinated malware campaign that has introduced at least 15 malicious plugins capable of exfiltrating API keys from artificial intelligence (AI) providers. This alarming development highlights the vulnerabilities present in widely used development environments and the potential for serious data breaches.

Overview of the Malware Campaign

The malicious plugins masquerade as AI coding assistants, claiming to be built on platforms like DeepSeek and other large language models. They offer functionalities such as chat assistance, commit messages, code reviews, bug detection, and unit testing. However, as noted by Aikido Security researcher Ilyas Makari, while these plugins perform their advertised tasks, they also covertly exfiltrate the AI provider API keys entered by users to a server controlled by the attackers.

This campaign has reportedly been active since late October 2025, with new plugins surfacing as recently as June 10, 2026. Notably, two of the plugins—CodeGPT AI Assistant and DeepSeek AI Assist—have amassed over 25,000 downloads each. However, the authenticity of these download counts remains questionable, raising concerns about potential manipulation to create a false sense of popularity.

List of Malicious Plugins

The following is a comprehensive list of the identified malicious plugins:

• DeepSeek Junit Test (org.sm.yms.toolkit)
• DeepSeek Git Commit (com.json.simple.kit)
• DeepSeek FindBugs (org.bug.find.tools)
• DeepSeek AI Chat (org.translate.ai.simple)
• DeepSeek Dev AI (com.yy.test.ai.simple)
• DeepSeek AI Coding (com.dev.ai.toolkit)
• AI FindBugs (com.json.view.simple)
• AI Git Commitor (com.my.git.ai.kit)
• AI Coder Review (org.check.ai.ds)
• DeepSeek Coder AI (com.review.tool.code)
• AI Coder Assistant (org.code.assist.dev.tool)
• DeepSeek Code Review (com.coder.ai.dpt)
• CodeGPT AI Assistant (com.my.code.tools)
• DeepSeek AI Assist (ord.cp.code.ai.kit)
• Coding Simple Tool (com.dp.git.ai.tool)

Aikido Security has indicated that all 15 plugins share a similar codebase, necessitating users to input an API key for AI services like OpenAI, SiliconFlow, or DeepSeek to access their promised functionalities.

Technical Mechanism of the Attack

While the plugins function as intended, they incorporate a hidden capability to siphon the provided API keys to a remote server (39.107.60[.]51) via plaintext HTTP requests. This method of data exfiltration poses a significant risk to developers who may unknowingly compromise their credentials.

Additionally, the plugins feature a paid tier. After users pay a nominal fee through a built-in donation wall, the server responds by sending a new API key back to the client. The plugin then utilizes this key for its operations instead of the user’s original key. This unusual behavior raises suspicions, as legitimate service providers would not typically provide unrestricted access to a paid AI service in this manner.

The implications of this scheme suggest that the operators may be sharing the stolen API keys with other malicious actors, effectively creating a service that allows paying users to access compromised AI provider credentials. This dual revenue model allows the attackers to profit from both the sale of the stolen keys and the fees collected from unsuspecting users.

Broader Implications for Developer Environments

This incident underscores a growing trend where threat actors are increasingly targeting developer environments through the open-source ecosystem. The open-source nature of many development tools makes them attractive targets, as they often contain sensitive information such as source code, cloud credentials, signing keys, and API keys for paid AI services. These assets can be exploited for various malicious activities, including LLMjacking schemes.

Aikido Security emphasizes the importance of treating plugins with the same caution as any dependency that operates with user privileges. Developers are advised to exercise vigilance when entering long-lived secrets into tools that have not been thoroughly vetted.

Concurrent Threats: Malicious Chrome Extensions

In a related development, two Google Chrome ad blocker extensions have been discovered capturing users’ conversations with AI chatbots, including OpenAI ChatGPT, Anthropic Claude, Google Gemini, and others. This data collection operation, dubbed PromptSnatcher by researcher Jean-Marie R., highlights another layer of risk in the cybersecurity landscape.

The extensions, still available on the Chrome Web Store, are:

• Smart Adblocker (ID: iojpcjjdfhlcbgjnpngcmaojmlokmeii) – 90,000 users (Published in October 2022)
• Adblock for Browser (ID: jcbjcocinigpbgfpnhlpagidbmlngnnn) – 10,000 users (Published in August 2023)

These extensions, while marketed as ad blockers, incorporate a custom-built interception engine that records non-public conversations, model usage, and account-tier metadata from major AI platforms. They utilize legitimate public filter lists as a cover, providing genuine ad-blocking functionality while simultaneously operating an undisclosed telemetry channel.

The longevity of these extensions suggests that the AI-related data exfiltration features were likely introduced through software updates, raising questions about the integrity of the Chrome Web Store’s review process.

Conclusion

The emergence of these malicious plugins and Chrome extensions serves as a stark reminder of the vulnerabilities present in software ecosystems. As developers increasingly rely on third-party tools, the potential for exploitation grows. The ongoing evolution of these threats necessitates heightened awareness and proactive measures to safeguard sensitive information.

Source: thehackernews.com

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.