Malicious JetBrains and VS Code Extensions Steal OpenAI, Anthropic, and DeepSeek API Keys
Cybersecurity NewsArchived Jun 22, 2026✓ Full text saved
Developers who rely on AI coding tools are now facing a serious new threat. A coordinated malware campaign has been uncovered on the JetBrains Marketplace, where at least 15 fake IDE plugins were quietly stealing AI provider API keys from thousands of developers. The plugins posed as helpful AI coding assistants built on DeepSeek, OpenAI, […] The post Malicious JetBrains and VS Code Extensions Steal OpenAI, Anthropic, and DeepSeek API Keys appeared first on Cyber Security News .
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Malicious JetBrains and VS Code Extensions Steal OpenAI, Anthropic, and DeepSeek API Keys
By Tushar Subhra Dutta
June 22, 2026
Developers who rely on AI coding tools are now facing a serious new threat. A coordinated malware campaign has been uncovered on the JetBrains Marketplace, where at least 15 fake IDE plugins were quietly stealing AI provider API keys from thousands of developers.
The plugins posed as helpful AI coding assistants built on DeepSeek, OpenAI, and SiliconFlow, but hid a dangerous credential-theft routine beneath their surface.
The attack spanned roughly eight months, with the earliest malicious plugins appearing in late October 2025 and new ones still being published as recently as June 10, 2026.
Together, the 15 plugins accumulated close to 70,000 combined installs across seven vendor accounts before being detected. The scale and persistence of this campaign highlight just how deeply developers trust marketplace ecosystems and how easily that trust can be weaponized.
Researchers at Aikido Security were the first to identify and publicly disclose the campaign. The Cloud Security Alliance (CSAI) said in a report shared with Cyber Security News (CSN) that IDE plugin ecosystems have become a primary attack surface for AI credential theft, noting that supply chain integrity controls have not been extended to these environments.
All three documented campaigns confirm that the developer toolchain is now a well-recognized and actively exploited target.
Alongside the JetBrains campaign, researchers tracked two related threats active during the same window.
The GlassWorm worm targeted the Visual Studio Code Marketplace and the OpenVSX Registry, while a separate Nx Console supply chain compromise hit GitHub’s Internal Repository. Together, they reflect a wider pattern of attackers converging on developer tools as a high-value entry point.
The financial stakes make these attacks especially attractive. AI inference is costly, and enterprise customers pay significant monthly fees for model access.
A stolen API key lets an attacker consume that quota at zero cost while the legitimate owner keeps paying the bill, creating a growing black market for resold AI access.
Malicious JetBrains and VS Code Extensions
All 15 malicious plugins shared nearly identical code, repackaged and relisted under different names and vendor accounts.
When a developer entered their API key into the plugin settings and clicked Apply, the credential was stored locally as expected but simultaneously forwarded via a plain HTTP POST request to a hardcoded attacker-controlled server.
No notification and no consent screen ever appeared in the interface. Aikido’s analysis also uncovered a monetization layer that sets this campaign apart from ordinary credential theft.
Some plugins offered a paid tier, and once a user paid a small fee, the attacker’s server would return a working API key to the client.
Researchers believe those returned keys were likely stolen from free-tier victims, turning the campaign into a credential resale service where attackers collected both money and free AI compute.
GlassWorm and the Broader VS Code Risk
GlassWorm, a technically advanced threat first identified by Koi Security in October 2025, spread through malicious VS Code extensions on the OpenVSX Registry.
It used invisible Unicode characters to hide malicious logic inside extension source files, making the code appear as empty lines to human reviewers and automated tools alike. This technique allowed the malware to slip past most standard review processes undetected.
Once active, GlassWorm harvested GitHub tokens, npm tokens, OpenVSX tokens, and cryptocurrency wallet data. It then force-pushed malicious commits to every repository the victim’s account could reach, spreading the infection to any developer who later cloned those repositories.
CrowdStrike, together with Google and the Shadowserver Foundation, neutralized all four GlassWorm command-and-control channels on May 26, 2026.
Developers should immediately audit all installed JetBrains plugins and VS Code extensions and treat any API key entered into an unvetted plugin as fully compromised.
Keys for OpenAI, Anthropic, DeepSeek, and SiliconFlow should be revoked and rotated through their respective provider dashboards without delay.
Network teams should block outbound traffic to the attacker’s server, and organizations should require behavioral review, not only static code scanning, before approving new IDE plugins.
Indicators of Compromise (IoCs):-
Type Indicator Description
IP Address 39.107.60[.]51 Hardcoded C2 server receiving stolen API keys via plain HTTP POST
URL hxxp://39.107.60[.]51/api/software/key Exfiltration endpoint used by all 15 malicious JetBrains plugins
Plugin ID org.sm.yms.toolkit DeepSeek Junit Test — 1,121 downloads, released 2025-10-31
Plugin ID com.json.simple.kit DeepSeek Git Commit — 1,894 downloads, released 2025-11-01
Plugin ID org.bug.find.tools DeepSeek FindBugs — 1,485 downloads, released 2025-11-09
Plugin ID org.translate.ai.simple DeepSeek AI Chat — 1,317 downloads, released 2025-11-23
Plugin ID com.yy.test.ai.simple DeepSeek Dev AI — 740 downloads, released 2025-11-30
Plugin ID com.dev.ai.toolkit DeepSeek AI Coding — 450 downloads, released 2025-12-06
Plugin ID com.json.view.simple AI FindBugs — 623 downloads, released 2025-12-14
Plugin ID com.my.git.ai.kit AI Git Commitor — 301 downloads, released 2026-01-10
Plugin ID org.check.ai.ds AI Coder Review — 735 downloads, released 2026-01-11
Plugin ID com.review.tool.code DeepSeek Coder AI — 3,498 downloads, released 2026-01-15
Plugin ID org.code.assist.dev.tool AI Coder Assistant — 319 downloads, released 2026-02-01
Plugin ID com.coder.ai.dpt DeepSeek Code Review — 278 downloads, released 2026-04-18
Plugin ID com.my.code.tools CodeGPT AI Assistant — 25,571 downloads, released 2026-06-09
Plugin ID ord.cp.code.ai.kit DeepSeek AI Assist — 27,727 downloads, released 2026-06-10
Plugin ID com.dp.git.ai.tool Coding Simple Tool — 3,931 downloads
API Auth Token F48D2AA7CF341F782C1D Static token hardcoded in plugins, used to authenticate POST requests to C2 server
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
Trending News
Hackers Abuse Legitimate RMM Tools in The Quarry IRS and SSA Phishing Campaigns
Critical Chrome Vulnerabilities Allow Attackers to Execute Arbitrary Code – Update Now!
Hackers Use Fake Software Update Prompts to Steal Passwords and Crypto Wallet Data From macOS Users
Hackers Abuse Microsoft Fondue.exe to Side-Load APPWIZ.cpl and Execute Malware
INC Ransomware Uses Rust-Based Windows and Linux/ESXi Encryptors in New Attacks
Latest News
Tech News
Anthropic’s Claude AI Back Online After 90-Minute Global Outage
Cyber Security News
FortiBleed – Fortinet Warns of Active Credential Harvesting Campaign Targeting FortiGate Devices
Cyber Security
GentleKiller Ransomware Abuses Vulnerable Drivers to Disable 400+ EDR Security Processes
Cyber Security
CyberSentinel AI with 33 Security Tools, Including Nmap, SQLMap, ZAP, and uses Claude, GPT
Cyber Security
AutoJack – A Single Web Page Can Hijack Your AI Agent to Execute Malicious Code