“`html
Programmers who depend on AI coding utilities are currently encountering a significant new danger. A coordinated malware initiative has been revealed on the JetBrains Marketplace, where a minimum of 15 counterfeit IDE plugins were discreetly pilfering AI provider API keys from thousands of programmers.
The plugins masqueraded as beneficial AI coding aides built on DeepSeek, OpenAI, and SiliconFlow but concealed a harmful credential-theft function beneath their façade.
The assault lasted approximately eight months, with the initial nefarious plugins surfacing in late October 2025 and newer versions still being released as recently as June 10, 2026.
Cumulatively, the 15 plugins garnered close to 70,000 total installs across seven vendor accounts before being discovered. The magnitude and tenacity of this campaign underscore how profoundly developers rely on marketplace ecosystems and how easily that reliance can be manipulated.
Investigators at Aikido Security were the first to detect and publicly announce the campaign. The Cloud Security Alliance (CSAI) remarked in a report shared with Cyber Security News (CSN) that IDE plugin ecosystems have evolved into a primary target for AI credential theft, observing that supply chain integrity measures have not been implemented in these environments.
All three documented initiatives confirm that the developer toolchain is now a well-known and actively exploited target.
In addition to the JetBrains campaign, researchers monitored two related threats operating during the same timeframe.
The financial implications render these attacks particularly appealing. AI inference is expensive, and enterprise clients incur substantial monthly charges for model access.
A compromised API key enables an assailant to exploit that quota at no expense while the rightful owner continues to bear the costs, fostering an expanding black market for resold AI access.
Malicious JetBrains and VS Code Extensions
All 15 harmful plugins shared nearly identical code, restructured and resold under various names and vendor accounts.
When a developer inputted their API key into the plugin settings and clicked Apply, the credential was stored locally as anticipated but simultaneously forwarded via a plain HTTP POST request to a hardcoded server controlled by an attacker.
No alerts or consent screens ever appeared in the interface.Aikido’s examination also revealed a monetization layer that differentiates this campaign from typical credential theft.
Some plugins presented a paid version, and once a user paid a nominal fee, the attacker’s server would provide a functioning API key to the client.
Researchers suspect that those returned keys were likely pilfered from victims of the free tier, transforming the campaign into a credential resale service where attackers profited both financially and in terms of free AI computational resources.
GlassWorm and the Broader VS Code Risk
GlassWorm, an advanced threat first detected by Koi Security in October 2025, propagated through malicious VS Code extensions on the OpenVSX Registry.
It employed invisible Unicode characters to conceal malicious logic within extension source files, making the code seem like blank lines to human evaluators and automated tools alike. This methodology enabled the malware to evade most conventional review processes undetected.
Once activated, GlassWorm collected GitHub tokens, npm tokens, OpenVSX tokens, and cryptocurrency wallet information. It then force-pushed malicious commits to every repository accessible by the victim’s account, disseminating the infection to any developer who subsequently cloned those repositories.
CrowdStrike, in conjunction with Google and the Shadowserver Foundation, neutralized all four GlassWorm command-and-control channels on May 26, 2026.
Developers must promptly examine all installed JetBrains plugins and VS Code extensions and regard any API key input into an unverified plugin as entirely breached.
API keys for OpenAI, Anthropic, DeepSeek, and SiliconFlow ought to be invalidated and refreshed via their corresponding provider dashboards without hesitation.
Networking teams should restrict outbound connections to the hacker’s server, and organizations must mandate behavioral evaluation, not merely static code analysis, prior to endorsing new IDE plugins.
Indicators of Compromise (IoCs):-
Note: IP addresses and domains are deliberately defanged (e.g., [.]) to avert inadvertent resolutions or hyperlinking. Re-fang solely within managed threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
“`