The IDE Perimeter: JetBrains Marketplace Malware Exposes Developer API Keys

For developers, the Integrated Development Environment (IDE) is a sanctuary. It’s a highly trusted workspace where engineers routinely paste access tokens, open proprietary codebases, and run high-privilege administrative tasks.

But a massive, coordinated supply-chain malware campaign on the JetBrains Marketplace has shattered that illusion of absolute safety, proving that your extension ecosystem is the new security perimeter.

Security researchers at Aikido22 Security recently uncovered a campaign involving at least 15 malicious plugins published under seven different vendor accounts (including names like CodePilot, StackSmith, and ZenCoder). Posing as helpful AI coding assistants utilizing DeepSeek and other Large Language Models (LLMs), these extensions covertly stole and exfiltrated private AI provider API keys.

By the time the threat was neutralized, the rogue utilities had racked up nearly 70,000 combined installations.

Anatomy of the Theft: How the Plugins Siphoned Keys

The brilliance—and malice—of this campaign lies in its simplicity. The plugins weren't forcing their way into system directories or triggering classic signature-based malware alerts. Instead, they acted as fully functional tools, doing exactly what they advertised: writing commit messages, executing code reviews, generating tests, and offering chat functions.

Because they functioned perfectly, developers didn't suspect a thing. The trap was sprung right in the configuration UI:

1. The Bait: To use the extension's local AI features, developers were asked to navigate to Settings > Plugins and input a personal API key from major providers like OpenAI, DeepSeek, or SiliconFlow.

2. The Hook: The plugin code specifically monitored for input string variations, validating length and prefix formatting to confirm a legitimate key was pasted.

3. The Exfiltration: The moment the developer hit "Apply" or "Save," the plugin's background save() method took the active key string and sent it as a plaintext JSON payload over an unencrypted, insecure HTTP connection to a hardcoded command-and-control (C2) server at IP address 39.107.60.51.

There were no error notifications, no consent popups, and no visual indications that data was leaving the machine.

The Twisted Revenue Model: Stolen Token Reselling

When analyzing the command-and-control server, researchers noticed an incredibly bizarre feature: a built-in "donation wall" or paid tier.

If a user paid a small fee through the plugin, the attacker’s remote server would suddenly pass a working, unrestricted AI API key back down to the client. The plugin would then seamlessly swap out the user's local key for the server-supplied key to process LLM prompts.

Security analysts believe this points to a highly coordinated credit-cycling scheme:

• Group A (The Victims): Enter their legitimate, funded corporate or personal API keys, which are instantly harvested by the server.

• Group B (The Paying Users): Pay a premium fee to the attackers to get access to "unlimited" AI computers, fueled entirely by the stolen keys harvested from Group A.

Essentially, the threat actors turned stolen developer access into a monetization service, collecting clean cash on one side while victims unknowingly Footed the bill for massive AI compute costs.

Why the IDE is a Goldmine for Modern Attackers

This incident highlights a major vulnerability in modern enterprise environments: non-human identity management. Cloud keys, webhooks, and AI tokens are incredibly difficult for standard endpoint detection and response (EDR) platforms to monitor.

Furthermore, developers on Linux, macOS, or Windows workstations require broad administrative access to compile binaries, manage local virtual machines, and test service meshes. When an attacker gains code execution access inside a developer's IDE, they aren't just stealing an OpenAI credential—they have a massive pivot point. An infected plugin can comfortably look sideways at local environment variables, Kubernetes secrets, .ssh folders, and production deployment keys.

While JetBrains enforces manual review procedures for third-party marketplace submissions, this campaign—which successfully slipped through security filters from late October 2025 all the way through June 2026—demonstrates that obfuscated data-exfiltration logic within an otherwise functional application remains incredibly difficult for automated gatekeepers to catch.

Immediate Remediation: What You Need to D

JetBrains acted swiftly upon receiving the forensic reports, immediately purging and disabling the 15 compromised tools remotely across its ecosystem. However, if you or anyone on your team interacted with unverified third-party AI extensions recently, you should immediately execute the following security protocols:

1. Revoke and Reissue Stolen Secrets

Treat any API token entered into an unverified plugin as completely compromised. Log into your developer consoles at OpenAI, DeepSeek, or SiliconFlow, permanently revoke the active keys, and issue clean, new credentials. Check your consumption dashboards for any unrecognized usage or unusual billing spikes.

2. Purge Local Workspaces

Open your IDE’s plugin manager (Settings > Plugins > Installed) and ensure any lingering elements of third-party AI assistants, unknown Git extensions, or custom code-review tools are completely uninstalled from your machine.

3. Block Known Infrastructure

Corporate network administrators should immediately add the attacker's hardcoded command-and-control server IP (39.107.60.51) to their centralized firewall blacklists and corporate DNS block rules to stop any outbound plaintext token leakage.

4. Move to Sandboxed Protocols (ACP)

To prevent these types of supply-chain risks permanently, JetBrains is heavily prioritizing the transition to the All Content Providers (ACP) protocol. Moving away from traditional unsandboxed marketplace extensions that run custom execution blocks, tools registered via ACP communicate strictly via sandboxed, structured standard inputs and outputs, ensuring your long-lived root tokens never have to touch an unvetted environment handler again.

Frequently asked questions

1. What is the JetBrains Marketplace malware attack?

The JetBrains Marketplace malware attack involved malicious AI assistant plugins disguised as productivity tools. These plugins secretly harvested API keys from developers and transmitted them to attacker-controlled servers, affecting thousands of installations.

2. How did the malicious plugins steal developer API keys?

The plugins asked users to enter AI provider API keys such as OpenAI or DeepSeek keys to enable features. Once saved, the extensions automatically sent those credentials in plain text to a remote server without notifying the user.

3. What should developers do if they installed a compromised JetBrains plugin?

Developers should immediately revoke and regenerate all exposed API keys, uninstall suspicious plugins, review API usage for unusual activity, and block known malicious server addresses within their network security systems.