Malicious JetBrains Plugins Steal AI API Keys as Chrome Extensions Capture Chatbot Chats

Cybersecurity researchers have flagged a “malware campaign” on the JetBrains Marketplace that has published no fewer than 15 malicious plugins capable of extracting the provider’s artificial intelligence (AI) keys.

“Every plugin stands as an AI code assistant built on DeepSeek and other major language models, offering chat, messaging, code review, bug detection, and unit testing,” said Aikido Security researcher Ilyas Makari. “They work as advertised. However, the API key of the AI ​​provider you install is leaked to a server controlled by the attacker.”

Work is said to have been ongoing since the end of October 2025, with new plugins just released on June 10, 2026. Two plugins, CodeGPT AI Assistant and DeepSeek AI Assist, have over 25,000 downloads each, although it is unclear if the figures are real or fake.

The complete list of plugins is below –

• DeepSeek Junit Test (org.sm.yms.toolkit)
• DeepSeek Git Commit (com.json.simple.kit)
• DeepSeek FindBugs (org.bug.find.tools)
• DeepSeek AI Discussion (org.translate.ai.simple)
• DeepSeek Dev AI (com.yy.test.ai.simple)
• DeepSeek AI Coding (com.dev.ai.toolkit)
• AI FindBugs (com.json.view.simple)
• AI Git Commitor (com.my.git.ai.kit)
• AI Code Check (org.check.ai.ds)
• DeepSeek Coder AI (com.review.tool.code)
• AI Coder Assistant (org.code.assist.dev.tool)
• DeepSeek Coder Review (com.coder.ai.dpt)
• CodeGPT AI Assistant (com.my.code.tools)
• DeepSeek AI Assist (ord.cp.code.ai.kit)
• Easy Coding Tool (com.dp.git.ai.tool)

Aikido Security said all 15 plugins share the same codebase, requiring users to open the settings panel and enter an AI API key such as OpenAI, SiliconFlow, or DeepSeek to perform the promised function.

While the plugins work as intended, they have been found to sneak in the ability to hide the API key provided on a remote server (“39.107.60[.]51”) under the attacker’s control over an HTTP request in plain text format.

“Plugins also use the paid category,” the company said. “After the user pays a small fee through the contribution wall built into the plugin, the server sends the API key back down to the client, and the plugin starts using that key in its model calls instead of yours, which is strange, since no official authority can just give the user a valid and unrestricted key to a paid AI provider.”

This raised the possibility that the operators running the campaign shared the AI ​​provider’s API keys with other threat actors as part of an illegal monetization scheme, effectively turning it into a service that gave paying users access to the victim’s AI provider.

“The operator collects money on one side and free data on the other, while the real owners pay the debt,” Makari said.

This campaign is further evidence of how threat actors are increasingly targeting developer environments through the open source ecosystem, which has become a lucrative target because they hold source code, cloud credentials, signing keys, and API keys for paid AI services that can be resold to LLM hacking schemes.

“Treat a plugin in the same way you would treat any dependency associated with your rights, and be careful about attaching long-term secrets to tools you haven’t tested,” Aikido Security said.

Malicious Chrome Extensions Steal AI Chats

The development coincides with the availability of two Google Chrome blocker extensions that capture user conversations with AI chatbots such as OpenAI ChatGPT, Anthropic Claude, Google Gemini, Microsoft Copilot, Perplexity, DeepSeek, xAI Grok, and Meta AI. The data collection task was codenamed PromptSnatcher by researcher Jean-Marie R.

The names of the extensions, which are still available in the Chrome Web Store, are as follows –

• Smart Adblocker (ID: iojpcjjdfhlcbgjnpngcmaojmlokmeii) – 90,000 users (Published October 2022)
• Adblock for Browser (ID: jcbjcocinigpbgfpnhlpagidbmlngnnn) – 10,000 users (Published August 2023)

“While presented as ad blockers, the extensions deploy a custom-built blocking engine that records non-public conversations, model usage, and account-tier metadata from all major AI platforms (ChatGPT, Claude, Gemini, and others),” the researcher said. “This project uses official public filter lists (EasyList, IDCAC) as an effective cover, providing a real ad blocking tool while using an undisclosed telemetry channel.”

The fact that these two extensions have been around for a few years indicates that AI-related data processing features have been introduced in the form of software updates.

These types of attacks fall under the category known as Prompt Poaching. In the past few months, browser extensions, legitimate and malicious, have been seen using this method to secretly capture users’ AI conversations under the pretext of improving Safe Browsing or providing in-depth traffic or engagement metrics. What is unclear is whether these practices violate Google’s policies for browser extensions.

“The extensions capture the full history of the AI ​​conversation, the use of the model, and the registration section from the eight platforms, and we transfer this data to the infrastructure controlled by the operator without notice to the user beyond the permission string of ‘Advanced Protection’,” the researcher noted.