Listen to this Post
Introduction: The Hidden Danger Behind AI Productivity Tools
Artificial intelligence has rapidly become a core part of modern software development. From automated code reviews to AI-powered coding assistants, developers increasingly rely on plugins that promise faster workflows and smarter coding experiences. However, a newly uncovered malware campaign demonstrates how cybercriminals are exploiting this trust.
Security researchers have discovered a coordinated operation involving at least fifteen malicious plugins distributed through the JetBrains Marketplace. These plugins appeared to offer legitimate AI-powered functionality while secretly stealing sensitive API credentials from unsuspecting developers. What makes this incident particularly alarming is not only the scale of the campaign, but also the fact that it targeted developers directly, potentially exposing valuable AI service accounts and creating a new attack surface within software development environments.
A Massive Credential Theft Operation Hiding in Plain Sight
Security firm Aikido Security revealed that at least fifteen JetBrains IDE plugins were intentionally designed to collect and exfiltrate AI API keys entered by users.
The malicious extensions were presented as useful tools, including AI coding assistants, Git commit helpers, bug-finding utilities, and code-review assistants. Many of them claimed integration with popular AI platforms such as OpenAI, DeepSeek, and SiliconFlow.
According to the investigation, these plugins were distributed through seven separate vendor accounts and accumulated nearly 70,000 downloads. While download statistics can sometimes be manipulated, the numbers suggest a potentially significant number of affected users.
Researchers believe the campaign began as early as October 2025 and continued actively until June 2026, demonstrating a long-running and highly organized operation.
How the Malicious Plugins Stole Developer Secrets
The most concerning aspect of the campaign is that the plugins actually worked as advertised.
Unlike many malware samples that immediately reveal suspicious behavior, these extensions delivered their promised functionality. Developers could use AI-assisted coding features normally, making the malicious behavior much harder to detect.
The credential theft occurred when users configured their AI service API keys within plugin settings. After entering the key and pressing the “Apply” button, the plugin silently transmitted the credential to an attacker-controlled server.
This technique is particularly effective because developers often trust development tools and rarely expect malicious activity from software installed through an official marketplace.
The Suspicious Paid-Tier Mechanism
Researchers uncovered an unusual monetization model embedded within the malicious plugins.
Users were offered a premium tier accessible through a built-in donation mechanism. After payment, the remote server would allegedly provide an API key back to the customer.
This behavior immediately raised red flags among investigators.
Legitimate AI service providers do not generally distribute unrestricted commercial API credentials through third-party plugin operators. The discovery led researchers to suspect that stolen credentials collected from free users may have been recycled and redistributed to paying customers.
If true, the operation effectively transformed stolen developer credentials into a revenue-generating ecosystem, where victims unknowingly supplied the resources consumed by other users.
DeepSeek AI Assist Confirmed to Contain Theft Mechanisms
One of the most downloaded plugins involved in the campaign was DeepSeek AI Assist.
Independent analysis reportedly confirmed that the latest available version still contained credential exfiltration functionality. Despite the public disclosure of the campaign, the plugin remained downloadable through the JetBrains Marketplace during parts of the investigation.
This finding highlights a growing challenge facing software marketplaces. Malicious code can remain active even after researchers identify suspicious behavior, creating a dangerous window during which additional users may become victims.
Complete List of Identified Malicious Plugins
AI and DeepSeek-Themed Extensions Used in the Campaign
The following plugins were identified as part of the operation:
DeepSeek Junit Test
DeepSeek Git Commit
DeepSeek FindBugs
DeepSeek AI Chat
DeepSeek Dev AI
DeepSeek AI Coding
AI FindBugs
AI Git Commitor
AI Coder Review
DeepSeek Coder AI
AI Coder Assistant
DeepSeek Code Review
CodeGPT AI Assistant
DeepSeek AI Assist
Coding Simple Tool
Many of these names intentionally leveraged popular AI branding trends, making them appear trustworthy and relevant to developers seeking productivity enhancements.
Why This Attack Is Different from Typical Supply Chain Threats
Software supply chain attacks are not new. Developers regularly encounter malicious packages hidden within repositories such as npm and PyPI.
However, attacks targeting JetBrains Marketplace users remain relatively rare.
This incident demonstrates that attackers are expanding beyond traditional package ecosystems and increasingly targeting integrated development environments directly. Since IDE plugins often receive elevated trust and broad system access, they represent highly attractive targets for cybercriminals.
The attack also highlights a dangerous trend where threat actors blend legitimate functionality with malicious operations. Users may never suspect compromise because the advertised features continue working normally.
The Growing Value of AI API Keys
AI API credentials have become valuable digital assets.
These keys provide access to expensive computational resources, advanced language models, and enterprise AI services. Stolen credentials can be abused for:
Unauthorized AI usage
Cryptocurrency-related automation
Spam generation
Large-scale content creation
Infrastructure abuse
Credential resale operations
As organizations integrate AI deeper into their workflows, attackers increasingly view API keys as valuable targets comparable to cloud credentials or corporate passwords.
Security Lessons Every Developer Should Learn
The discovery serves as a powerful reminder that official marketplaces are not immune to abuse.
Developers should treat third-party plugins with the same caution applied to open-source packages. Before installing extensions, users should:
Review publisher history carefully.
Verify community reputation.
Audit source code when available.
Limit API permissions whenever possible.
Rotate credentials regularly.
Monitor unusual API usage patterns.
Use separate keys for testing and production environments.
Remove unused IDE extensions.
Trusting a plugin simply because it appears in an official marketplace is no longer sufficient.
Deep Analysis: Technical Indicators and Defensive Commands
The campaign offers valuable insight into how modern developer-focused malware operates.
Linux-Based Security Investigation Commands
Check active network connections:
ss -tunap
Monitor suspicious outbound traffic:
tcpdump -i any host 39.107.60.51
Search JetBrains plugin directories:
find ~/.local/share/JetBrains -type f
List installed IDE plugins:
find ~/.config/JetBrains -name ".jar"
Identify hardcoded malicious URLs:
grep -R "39.107.60.51" ~/.config/JetBrains/
Inspect plugin source archives:
unzip plugin.jar
Detect HTTP communication functions:
grep -R "HttpURLConnection" .
Monitor suspicious Java processes:
ps aux | grep java
Check outbound connections in real time:
watch -n 2 'ss -tpn'
Analyze plugin network behavior:
strace -f -e trace=network java
Review local firewall logs:
journalctl -xe
Check API key exposure in configuration files:
grep -Ri "api_key" ~/
Scan plugin directories for indicators:
clamscan -r ~/.local/share/JetBrains
Verify file integrity:
sha256sum plugin.jar
Monitor DNS requests:
tcpdump -i any port 53
Strategic Security Implications
The malware demonstrates how threat actors increasingly target developer workflows rather than end users.
Instead of attacking production servers directly, attackers compromise the individuals who build and maintain those systems.
This represents a significant evolution in cybercrime strategy.
Development environments now contain cloud credentials, AI access tokens, source code, deployment secrets, infrastructure keys, and internal documentation.
A successful compromise of a single developer workstation can provide attackers with access far beyond what a traditional endpoint infection could achieve.
The JetBrains incident also reveals weaknesses in marketplace review processes. Attackers successfully maintained multiple vendor identities and distributed similar malicious code across numerous plugins over an extended period.
As AI adoption accelerates, API credential theft is likely to become one of the fastest-growing attack categories in the cybersecurity landscape.
What Undercode Say:
The JetBrains plugin campaign should be viewed as more than a simple credential theft operation.
It represents a fundamental shift in how cybercriminals monetize developer ecosystems.
For years, attackers primarily targeted end users through phishing, ransomware, and browser malware. Today, developers themselves have become premium targets because they hold the keys to cloud infrastructure, source code repositories, AI platforms, and deployment pipelines.
What makes this campaign particularly effective is its use of legitimate functionality.
Traditional malware often reveals itself through obvious malicious behavior. These plugins, however, delivered real value while quietly collecting credentials in the background.
That approach dramatically reduces suspicion.
Developers naturally trust tools that improve productivity.
The campaign also highlights the explosive rise in value of AI service credentials.
A few years ago, attackers focused heavily on AWS keys and database credentials.
Now OpenAI, DeepSeek, Anthropic, and other AI provider keys are becoming equally attractive.
The suspected redistribution of stolen API keys introduces another troubling possibility.
Cybercriminals may be creating underground economies where stolen AI resources are resold to paying users.
This creates a self-sustaining business model.
Victims unknowingly supply the resources.
Attackers distribute those resources.
Customers consume them.
Revenue flows back to the operators.
Another notable observation is the abuse of trusted distribution channels.
Many security programs focus heavily on external threats while assuming marketplace content is relatively safe.
That assumption is becoming increasingly dangerous.
Marketplace trust is now being weaponized.
The incident should encourage software vendors to strengthen plugin review mechanisms.
Static analysis alone may no longer be enough.
Behavioral analysis and runtime inspection should become standard requirements for high-risk plugin categories.
Organizations should also rethink credential management strategies.
Developers frequently store API keys directly inside applications and plugins.
Short-lived tokens and centralized secrets management solutions could significantly reduce exposure.
The broader lesson is clear.
AI adoption is creating entirely new attack surfaces.
Every productivity gain introduced by AI tools must be balanced against security risks.
The organizations that recognize this reality early will be far better prepared for the next generation of software supply chain threats.
✅ Aikido Security reported at least 15 malicious JetBrains Marketplace plugins that were designed to steal AI API credentials from developers.
✅ The identified plugins reportedly transmitted user-supplied API keys to an external server after configuration changes were applied.
✅ Security researchers confirmed that several plugins contained both advertised functionality and hidden credential exfiltration mechanisms, making detection significantly more difficult for ordinary users.
Prediction
(+1) Increased Marketplace Security Audits 🔒
JetBrains and other IDE vendors will likely introduce stronger automated code reviews, behavioral scanning, and publisher verification procedures to reduce the risk of similar attacks reaching users.
(+1) Greater Adoption of Secure Credential Management 🚀
Organizations will increasingly move toward short-lived API tokens, secret vaults, and centralized credential management systems to prevent long-term credential abuse.
(+1) Expansion of Developer-Focused Threat Hunting 📈
Security teams will begin monitoring development environments with the same intensity currently applied to production infrastructure.
(-1) More AI-Themed Malware Campaigns ⚠️
The success and publicity of this operation may inspire copycat campaigns that disguise malware as AI productivity tools across multiple software marketplaces.
(-1) Rising Trust Issues Around Third-Party Plugins 📉
Developers may become increasingly cautious when installing extensions, slowing adoption of legitimate innovation within plugin ecosystems due to growing security concerns.
▶️ Related Video (76% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.stackexchange.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
