The plugins, listed under seven vendor accounts, were presented as coding assistants, code reviewers, bug finders, unit-test generators and Git commit-message tools. They invoked services familiar to developers using artificial intelligence inside IDEs, including OpenAI, DeepSeek and SiliconFlow. Combined marketplace download figures for the identified plugins were close to 70,000, with DeepSeek AI Assist and CodeGPT AI Assistant accounting for more than 53,000 of those downloads.
The campaign is notable because the malicious behaviour did not depend on a visibly broken or suspicious tool. The plugins offered chat, code review, bug detection, commit-message generation and test writing, giving users little reason to suspect that a credential-harvesting routine was running behind the settings panel. The theft was triggered when a developer pasted an API key into the plugin configuration and clicked Apply, a normal step for “bring your own key” AI tools.
Technical analysis found that the plugins used a shared codebase repackaged under different names and identifiers. Once a key was saved, the settings handler passed it to a hardcoded endpoint at 39.107.60[.]51 over unencrypted HTTP. The request included a static authentication value embedded in the plugin code, while the payload contained the user’s provider secret. That meant the key left the workstation before the developer had any indication that it was being sent anywhere other than the selected AI service.
The earliest known listing in the cluster appeared on 31 October 2025, when DeepSeek Junit Test was released. Other plugins followed through November, December, January, February and April, before a jump in June, when CodeGPT AI Assistant was released on 9 June and DeepSeek AI Assist on 10 June. Their download counts rose far above most earlier entries, although marketplace figures cannot be treated as a precise count of unique victims because downloads and ratings can be inflated.
The identified plugins include DeepSeek Junit Test, DeepSeek Git Commit, DeepSeek FindBugs, DeepSeek AI Chat, DeepSeek Dev AI, DeepSeek AI Coding, AI FindBugs, AI Git Commitor, AI Coder Review, DeepSeek Coder AI, AI Coder Assistant, DeepSeek Code Review, CodeGPT AI Assistant, DeepSeek AI Assist and Coding Simple Tool. Vendor accounts linked to the listings included CodePilot, StackSmith, CodeCrafter, CodeWeaver, JetCode, DailyCode and ZenCoder.
The attackers also appear to have built a paid tier into the operation. After payment through a donation wall, the remote server could return an API key to the user’s plugin, which would then use that key for model calls. The origin of those returned credentials has not been established, but the design raises the possibility of a two-sided abuse model in which credentials taken from one group of developers are reused or resold to another.
The incident underlines a widening security problem around AI-assisted development. IDE plugins sit inside environments that often contain proprietary code, project files, cloud credentials, tokens and build-system access. JetBrains’ Marketplace guidance says plugins run with the same access rights as the IDE, can connect to the internet, can interact with files and are not isolated through fine-grained permissions or sandboxing. Marketplace moderation combines automatic checks and review, but the case shows how a small exfiltration routine can be hidden inside a tool that otherwise behaves as advertised.
The risk is not limited to immediate billing abuse on AI platforms. A stolen API key can reveal usage patterns, expose application workflows, enable unauthorised model calls and create unexpected costs for the key owner. Where organisations use central accounts, a compromised key may also blur audit trails, making it harder to distinguish legitimate developer activity from attacker-driven consumption.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
