Malicious JetBrains Plugins Stole AI API Keys from 70,000 Developers

Aikido noted a particularly brazen detail: some variants of the malware even included a paid tier, where victims could pay a small fee to receive a "working" API key back, which was likely stolen from another compromised developer .

Timeline and Scale

According to Aikido's analysis, the first of these malicious plugins appeared in October 2025, with new ones being published as recently as June 2026 . This means the campaign operated for over eight months on the official marketplace before detection.

At the time of Aikido's disclosure, the 15 plugins had amassed approximately 70,000 total installations across the seven fraudulent vendor accounts . The scale of the operation suggests it was likely the first coordinated malware campaign of its kind to successfully penetrate the JetBrains Marketplace .

The JetBrains incident did not occur in isolation. It coincided with a parallel campaign where threat actors created a network of more than 88 fake installer websites impersonating Claude Code, Cline, and JetBrains, using Google Ads to funnel developers toward credential-stealing malware . Together, these operations signal a deliberate and multifaceted effort to target AI developers’ secrets.

A Broader Assault on AI Credentials

The JetBrains Marketplace attack is part of a disturbing trend across the software supply chain. API keys for large language models have become a primary target for attackers because of the access they provide. A compromised key can be used to run up massive inference bills, access private models and internal data, or pivot into connected cloud infrastructure.

Earlier in 2026, the npm package codexui-android, which had roughly 28,000 weekly downloads, was found to be silently exfiltrating non-expiring OpenAI OAuth refresh tokens . Attackers disguised the exfiltration as routine Sentry telemetry traffic. In 2025, a separate campaign compromised 141 Mastra npm packages to inject malicious code at install time, further demonstrating the fragility of development ecosystems .

IDE plugins represent an especially high-value target. Plugins within JetBrains environments run with full access to the IDE process, meaning they can read source code, access stored credentials, modify files, and initiate network connections . A malicious plugin is not just a theoretical risk but a practical backdoor into everything a developer touches. As a post-incident analysis noted, an AI assistant wired into an IDE is now a "high-privilege automation surface" sitting next to source code, secrets, SSH keys, and cloud credentials .

What Developers Should Do Now

The immediate risk for any developer who experimented with AI-assistant plugins in recent months is that their API key is already in the hands of an attacker. Aikido and other security sources have distilled the response into several essential steps.

1. Rotate exposed API keys immediately. If you installed an AI-assistant plugin from the JetBrains Marketplace between October 2025 and June 2026 and entered an API key, assume it is compromised. Generate a new key from your AI provider’s dashboard and revoke the old one without delay .

2. Audit your installed plugins. Open your IDE’s Settings/Preferences, navigate to Plugins, and review the Installed list. Disable or uninstall any plugin you do not explicitly recognize and trust. After removal, restart the IDE to ensure its code is fully purged from memory .

3. Review your environment for residual changes. Uninstalling a plugin does not guarantee that all its effects are undone. Plugins can modify IDE settings and files; check for any unexpected configurations or network behaviors that persist after removal .

4. Scrutinize plugin permissions before installing. Be especially wary of plugins that request broad network access without clear justification. A code-formatting tool, for example, should not need to communicate with external servers.

5. Adopt short-lived and scoped API keys. Where your AI provider supports it, restrict keys to specific projects or services and set expiration dates. Monitor billing dashboards actively for unusual spikes in usage, which can be an early warning of credential abuse.

6. Report suspicious plugins. If you encounter a plugin that behaves unexpectedly, use the "Report Plugin" option on its JetBrains Marketplace page to notify the platform's security team . Collective vigilance remains one of the most effective defenses against supply-chain threats.