Security firm Aikido Security discovered 15 malicious plugins on the JetBrains Marketplace — disguised as AI coding assistants and code review tools — silently sending users' OpenAI, DeepSeek and SiliconFlow API keys to attacker-controlled servers. In total, roughly 70,000 installs. JetBrains removed them all and banned 7 publisher accounts on 17/06/2026. If your dev team has ever installed unfamiliar AI plugins, now is the time to revoke those keys immediately.
Quick summary
- Scale: 15 malicious plugins, 7 publisher accounts, ~70,000 installs on the JetBrains Marketplace.
- Biggest offenders: "DeepSeek AI Assist" (27,727 downloads) and "CodeGPT AI Assistant" (25,571).
- How they worked: posing as AI assistants, they captured the API keys users entered and sent them to the attackers' servers.
- Timeline: active since 10/2025; the most recent plugin was published 10/06/2026; JetBrains removed and remotely disabled them on 17/06/2026.
- What to do: revoke every API key ever entered into these plugins.
What happened?
According to BleepingComputer and The Hacker News, these plugins had been quietly active since October 2025 — meaning nearly 9 months of harvesting keys before being detected. They targeted a very common habit: a developer wants to use AI inside the IDE, installs a professional-looking "AI assistant" plugin, then pastes the company's API key straight into the settings.
JetBrains confirmed on its official blog: all 15 plugins were removed from the Marketplace and remotely disabled on users' machines on 17/06/2026.
Why this is more dangerous than it looks
A leaked AI API key isn't just about the bill (attackers freeloading on your quota). Far more dangerous: keys are often tied to an organization account — attackers may be able to read fine-tuning history, uploaded data, even member lists depending on the key's permissions. And because the key sits in a developer's IDE, it is usually a broadly scoped key that rarely gets rotated.
This is a classic supply-chain attack pattern translated into the AI era: instead of planting malware in an npm library, attackers wait at the exact spot where developers voluntarily enter their secrets.
What businesses should do right now
- Audit every developer's IDE: check installed AI plugins, especially the names on the removal list ("DeepSeek AI Assist", "CodeGPT AI Assistant"…).
- Revoke and rotate every API key ever entered into a plugin of unknown origin — even if "nothing looks wrong yet".
- Set plugin-source rules: only install plugins from verified publishers; put an approved plugin list into your security policy.
- Monitor API usage: set alerts for unusual billing/quota activity — the earliest sign of a leaked key.
A perspective for businesses
This incident exposes a structural risk of the "AI via API key" model: secrets scattered across every developer's machine, where a single fake plugin is enough to sweep them into an attacker's hands. With on-premise internal AI, this attack surface all but disappears — there are no cloud keys to steal, and access flows through the company's internal network and centralized access control. That is a layer of defense determined by architecture, not by the carefulness of each individual.
Frequently asked questions
Am I affected?
If you or your dev team ever installed an unfamiliar AI assistant plugin from the JetBrains Marketplace (especially 'DeepSeek AI Assist' or 'CodeGPT AI Assistant'), treat the key as compromised: revoke it and create a new one immediately.
How did JetBrains respond?
It removed all 15 plugins, banned 7 publisher accounts and remotely disabled the plugins on users' machines on 17/06/2026, with an announcement on its official blog.
How can we prevent a similar incident?
Only install plugins from verified publishers, cover plugins in your security policy, use separate keys per context with limited quotas, and monitor for unusual billing.
How does internal AI help here?
There are no cloud API keys scattered across developers' machines to steal — AI access flows through the company's internal network and centralized access control.
Close the API-key attack surface
Namtech deploys internal AI — no cloud keys scattered around, access via centralized permissions, and data never leaves your organization.
Book a free consultationNote: This article is compiled from public sources as of 02/07/2026; information is for reference and may change.