Developers who rely on AI coding tools are now facing a serious new threat. A coordinated malware campaign has been uncovered on the JetBrains Marketplace, where at least 15 fake IDE plugins were quietly stealing AI provider API keys from thousands of developers.
The plugins posed as helpful AI coding assistants built on DeepSeek, OpenAI, and SiliconFlow, but hid a dangerous credential-theft routine beneath their surface.
The attack spanned roughly eight months, with the earliest malicious plugins appearing in late October 2025 and new ones still being published as recently as June 10, 2026.
Together, the 15 plugins accumulated close to 70,000 combined installs across seven vendor accounts before being detected. The scale and persistence of this campaign highlight just how deeply developers trust marketplace ecosystems and how easily that trust can be weaponized.
Researchers at Aikido Security were the first to identify and publicly disclose the campaign. The Cloud Security Alliance (CSAI) said in a report shared with Cyber Security News (CSN) that IDE plugin ecosystems have become a primary attack surface for AI credential theft, noting that supply chain integrity controls have not been extended to these environments.
All three documented campaigns confirm that the developer toolchain is now a well-recognized and actively exploited target.
Alongside the JetBrains campaign, researchers tracked two related threats active during the same window.
The GlassWorm worm targeted the Visual Studio Code Marketplace and the OpenVSX Registry, while a separate Nx Console supply chain compromise hit GitHub’s Internal Repository. Together, they reflect a wider pattern of attackers converging on developer tools as a high-value entry point.
The financial stakes make these attacks especially attractive. AI inference is costly, and enterprise customers pay significant monthly fees for model access.
A stolen API key lets an attacker consume that quota at zero cost while the legitimate owner keeps paying the bill, creating a growing black market for resold AI access.
Malicious JetBrains and VS Code Extensions
All 15 malicious plugins shared nearly identical code, repackaged and relisted under different names and vendor accounts.
When a developer entered their API key into the plugin settings and clicked Apply, the credential was stored locally as expected but simultaneously forwarded via a plain HTTP POST request to a hardcoded attacker-controlled server.
No notification and no consent screen ever appeared in the interface. Aikido’s analysis also uncovered a monetization layer that sets this campaign apart from ordinary credential theft.
Some plugins offered a paid tier, and once a user paid a small fee, the attacker’s server would return a working API key to the client.
Researchers believe those returned keys were likely stolen from free-tier victims, turning the campaign into a credential resale service where attackers collected both money and free AI compute.
GlassWorm and the Broader VS Code Risk
GlassWorm, a technically advanced threat first identified by Koi Security in October 2025, spread through malicious VS Code extensions on the OpenVSX Registry.
It used invisible Unicode characters to hide malicious logic inside extension source files, making the code appear as empty lines to human reviewers and automated tools alike. This technique allowed the malware to slip past most standard review processes undetected.
Once active, GlassWorm harvested GitHub tokens, npm tokens, OpenVSX tokens, and cryptocurrency wallet data. It then force-pushed malicious commits to every repository the victim’s account could reach, spreading the infection to any developer who later cloned those repositories.
CrowdStrike, together with Google and the Shadowserver Foundation, neutralized all four GlassWorm command-and-control channels on May 26, 2026.
Developers should immediately audit all installed JetBrains plugins and VS Code extensions and treat any API key entered into an unvetted plugin as fully compromised.
Keys for OpenAI, Anthropic, DeepSeek, and SiliconFlow should be revoked and rotated through their respective provider dashboards without delay.
Network teams should block outbound traffic to the attacker’s server, and organizations should require behavioral review, not only static code scanning, before approving new IDE plugins.
Indicators of Compromise (IoCs):-
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
