SECURITY researchers from Aikido Security discovered 15 malicious plugins on the JetBrains Marketplace that have been stealing API keys from developers. These plugins, posing as AI coding assistants, have been installed approximately 70,000 times since their initial appearance in October 2025, with some updates released as recently as June 2026. When developers enter their API keys for services like OpenAI, these keys are immediately exfiltrated to a server controlled by attackers without user consent.
The campaign's ultimate goal remains unclear, but stolen API keys could be resold or misused. Aikido highlighted the increasing targeting of integrated development environments (IDEs) by cybercriminals due to the wealth of sensitive information they possess.