Skip to content
hacker_posts

JetBrains pulls 15 plugins exfiltrating AI API keys, 70K installs

Aikido Security found 15 JetBrains Marketplace plugins under 7 vendor accounts that exfiltrated OpenAI, DeepSeek, and SiliconFlow keys over plaintext HTTP. JetBrains pulled them on June 16, 2026.

Published 5 min read
supply-chainjetbrainsaiadvisory

On June 16, 2026, JetBrains confirmed it had removed 15 third-party plugins from JetBrains Marketplace after a report by Aikido Security showed the plugins exfiltrated user-supplied AI provider API keys to a hardcoded C2. The plugins masqueraded as AI coding assistants and worked exactly as advertised. They were published under seven distinct vendor accounts, accumulated close to 70,000 installs, and targeted keys for OpenAI, DeepSeek, and SiliconFlow. The first variants landed in late October 2025; the most recent shipped on June 10, 2026.

What's affected

Any user of a JetBrains IDE — IntelliJ IDEA, PyCharm, GoLand, WebStorm, Rider, PhpStorm, RubyMine, CLion, DataGrip — who installed one of the 15 plugins and pasted an AI provider key into its settings panel. The two most-downloaded entries, per Aikido's writeup:

  • DeepSeek AI Assist — 27,727 downloads.
  • CodeGPT AI Assistant — 25,571 downloads.

The remaining 13 plugins, distributed across seven vendor accounts, share near-identical malicious code paths.

How the campaign works

Per the Aikido and JetBrains writeups, exfiltration is triggered by the user, not by background polling. The flow:

  1. User installs the plugin, opens its settings panel, pastes an OpenAI / DeepSeek / SiliconFlow key, clicks Apply.
  2. The settings handler legitimately persists the key via save(), then forwards it as a plaintext JSON body over unencrypted HTTP to 39.107.60.51.
  3. To suppress TLS warnings during the call, the plugin silently installs a JVM-wide X509TrustManager that disables certificate validation for the process.

The plugins themselves deliver the advertised AI functionality on top, which is why they sat in the Marketplace for ~8 months without user-side red flags. Coverage at BleepingComputer corroborates the install count, the C2 IP, and the seven-publisher pattern, citing Aikido's research directly.

Exploitation status

Confirmed exfiltration. The hardcoded server (39.107.60[.]51) was reachable over plaintext HTTP while the plugins were live in the Marketplace. JetBrains has not published the per-plugin install split for the remaining 13 entries, the exact total dollar value of stolen keys, or attribution. Aikido suspects the operators reused or resold the stolen API keys, but does not yet name a buyer or fraud campaign.

Action checklist

  1. Audit your IDE plugin list now. In each JetBrains IDE: Settings → Plugins → Installed. If any of the 15 published in the Aikido and BleepingComputer writeups is present, JetBrains has already disabled it via its backend, but the plugin's local code and any cached state should be removed manually.
  2. Rotate every AI provider key entered into a JetBrains plugin since October 2025. OpenAI, DeepSeek, SiliconFlow, and anything else stored in a third-party plugin's settings panel. Treat the old keys as burnt: revoke, generate new keys, scope them per-project.
  3. Audit OpenAI / DeepSeek / SiliconFlow usage logs for the rotated keys back to October 2025. Look for unexpected models, unexpected geographies, or sustained consumption with no business reason. Stolen LLM keys are typically resold to power abusive inference farms, so the tell is steady burn, not a one-time spike.
  4. Block egress to 39.107.60.51 over HTTP and HTTPS from developer workstations and CI runners. The address is hardcoded in every variant of the malicious code path; an egress hit is a high-confidence post-disclosure signal.
  5. Hunt for X509TrustManager overrides in installed JetBrains plugins. Any third-party plugin that disables TLS validation for the JVM process is high-risk regardless of stated purpose. The same primitive can be re-used by another marketplace campaign tomorrow.
  6. Restrict who can install Marketplace plugins. JetBrains supports allowlists and disabling third-party plugin install through idea.properties and per-IDE policy files; ship them via your existing endpoint-management pipeline.

Context

This is the second supply-chain story this site has covered in seven days where an AI-adjacent dev tool registry was the entry point. It lands a week after the @mastra npm-scope takeover (142 packages backdoored via easy-day-js) and follows the same recipe: a permissive marketplace that vets a publisher once, then trusts every package they ship after that. JetBrains Marketplace, npm, and the VS Code extension store all carry the same trust assumption — and the same blast radius.

The specific twist on Marketplace AI plugins is the payload target. An npm postinstall hook walks away with whatever happened to be on disk; a JetBrains AI plugin walks away with the developer's LLM API key, intentionally pasted by the user into the plugin's own settings panel. That removes every layer of "did the malware find the secret" — the user hands it over. As more of the developer workflow runs through pasted-in provider keys, the marketplace plugin becomes the cheapest place for an attacker to harvest them.

What other outlets missed

The Aikido writeup notes — and most secondary coverage drops — that the malicious plugins install a JVM-wide X509TrustManager to suppress TLS warnings during exfiltration. That is not a key-theft primitive; it is an IDE-wide TLS-validation kill switch that persists for the lifetime of the process. Any HTTPS traffic the IDE makes after the override — to package registries, git remotes over HTTPS, internal artifact servers, your CI control plane — runs without certificate validation. The stolen key is the headline, but the trust-store rewrite is the longer-term hole and is worth a sweep across every plugin you keep installed, not just the 15 JetBrains pulled.

Related stories