Developers did not lose their AI credentials to a phishing email. They lost them to a plugin sitting inside the tool they trusted most: the IDE running on their machine.
JetBrains disclosed on June 16, 2026, it had received reports about 15 third-party Marketplace plugins built to steal AI provider API keys. The company removed all 15 plugins, blocked the publisher accounts behind them, and remotely disabled the affected plugins inside installed IDEs. JetBrains said its internal source code, development environments, and corporate infrastructure were not accessed.
How the Attack Worked
The plugins functioned as advertised. Each one offered genuine AI utility, branded around tools like DeepSeek and generic AI coding assistants, and developers configured them the same way they configure any IDE extension: by pasting an API key into a settings panel.
The moment a user clicked Apply, the plugin captured the key and sent it as plaintext JSON over unencrypted HTTP to a hardcoded command-and-control address, according to JetBrains and independent researchers. Several of the plugins installed a JVM-wide X509TrustManager, a component suppressing TLS warnings and reducing the chance a developer would notice anything wrong. The named providers affected in JetBrains’ remediation guidance include OpenAI, DeepSeek, and SiliconFlow.
Aikido Security, which first identified the campaign, reported the 15 plugins were installed close to 70,000 times combined, a figure JetBrains has not independently confirmed. A separate analysis from StepSecurity broke the total down further: the two most downloaded plugins, DeepSeek AI Assist and CodeGPT AI Assistant, accounted for 27,727 and 25,571 downloads respectively. Aikido says the earliest version of the campaign appeared in late October 2025, a timeline JetBrains’ post does not independently confirm, with new entries appearing as recently as June 9, 2026.
Why the Story Reaches Beyond JetBrains
The interesting part of the incident is not the malware mechanics. It is what the attack reveals about where sensitive credentials now live inside software teams.
IDE plugins sit inside a high-trust environment by design. They can see project context, configuration files, developer workflows, and increasingly, the API keys connecting a coding environment to a paid AI service. A calendar app on a phone does not get the same level of access. A plugin promising to make AI coding faster usually does, because usefulness and access tend to scale together.
My take: AI coding adoption moved key management into a layer most security teams still treat as a productivity decision rather than an infrastructure decision. Developers reasonably assumed a Marketplace listing implied some baseline safety check. JetBrains’ account undercuts the assumption directly.
The Marketplace Trust Gap
JetBrains has acknowledged its Plugin Verifier historically checked compatibility and API usage, not the kind of behavioral data-flow analysis needed to catch a plugin quietly phoning home with a stolen key. A plugin can call only documented, permitted APIs and still behave maliciously the moment a secret passes through it. Compatibility checks were never built to catch the pattern, because nobody designed them to.
JetBrains says it is now adding ingestion rules to flag raw HTTP and IP endpoints, unauthorized TLS weakening, and suspicious key-handling patterns before a plugin reaches the Marketplace. The fix targets a real gap, though it arrives after a campaign apparently active for roughly eight months.
What Comes Next for Affected Teams
Security teams responding to a credential-theft incident face a narrow set of immediate priorities. The first priority is rotating any key entered into one of the affected plugins, followed by a review of AI provider usage logs for abnormal activity. Teams can also block the known command-and-control address, 39.107.60.51, removing one obvious path back into compromised accounts. Scoped keys, hard spending caps, and least-privilege access reduce the blast radius the next time a plugin, not a phishing email, turns out to be the entry point.
JetBrains has advised affected users to check their AI provider dashboards for suspicious spend or unusual usage. The guidance confirms a recommended remediation step, not a confirmed loss. No confirmed dollar losses or named attribution have surfaced publicly as of publication, and the draft does not assume either exists.
The Bigger Lesson for Enterprise AI
Enterprises spent the past two years building governance programs around AI vendors and cloud accounts. The JetBrains incident argues for governance one layer down, at the tools developers install themselves without asking permission. An IDE plugin marketplace functions as a software supply chain, regardless of whether security teams have started treating it as one. The organizations updating their threat model first will be the ones not explaining a credential breach to their board next.
