Threats

Malicious VS Code, JetBrains Extensions Steal AI API Keys

Key Takeaways A widespread malicious campaign targeted developers through fake IDE plugins, stealing AI API keys. The attack impacted users of JetBrains IDEs and Visual Studio Code, with over 70,000...

David kimber
David kimber
June 22, 2026 4 Min Read
5 0

Key Takeaways

  • A widespread malicious campaign targeted developers through fake IDE plugins, stealing AI API keys.
  • The attack impacted users of JetBrains IDEs and Visual Studio Code, with over 70,000 combined installs across 15 malicious JetBrains plugins alone.
  • Attackers leveraged seemingly legitimate AI coding assistant plugins to exfiltrate API keys for services like OpenAI, Anthropic, DeepSeek, and SiliconFlow.
  • The campaign also included a unique monetization scheme, where stolen keys were potentially resold.
  • Developers should immediately audit installed extensions, revoke compromised API keys, and implement enhanced security measures for their development environments.

Developers relying on AI coding assistants are facing a significant and evolving threat landscape. A sophisticated malware operation has been uncovered, primarily targeting the JetBrains Marketplace, where at least 15 deceptive IDE plugins were actively siphoning AI provider API keys from thousands of unsuspecting developers. This campaign, meticulously detailed by researchers at Aikido Security, highlights a growing trend of attackers exploiting trust in developer ecosystems.

Table Of Content

These plugins masqueraded as beneficial AI coding tools, offering integration with popular services like DeepSeek, OpenAI, and SiliconFlow. Beneath their helpful exterior, however, lay a dangerous routine designed for credential theft. The malicious activity persisted for approximately eight months, with the initial rogue plugins appearing in late October 2025 and new variants continuing to surface as recently as June 10, 2026.

Before detection, the 15 compromised plugins collectively amassed nearly 70,000 installations across seven distinct vendor accounts. The extensive reach and longevity of this campaign underscore the deep reliance developers place on marketplace ecosystems and the ease with which this trust can be weaponized for malicious ends. The Cloud Security Alliance (CSAI), in a report shared with Cyber Security News (CSN), emphasized that IDE plugin ecosystems have become a prime attack vector for AI credential theft, noting a critical gap in supply chain integrity controls within these environments.

This incident is not isolated. Researchers concurrently tracked two other related threats active during the same period. The “GlassWorm” worm targeted the Visual Studio Code Marketplace and the OpenVSX Registry, while a separate supply chain compromise involving “Nx Console” impacted GitHub’s Internal Repository. These parallel attacks signify a broader strategic shift by malicious actors towards developer toolchains as high-value entry points for compromise.

The financial implications of these attacks are substantial. AI inference services are costly, with enterprise clients often incurring significant monthly fees for model access. A stolen API key allows attackers to consume this quota without cost, leaving the legitimate owner to foot the bill. This creates a burgeoning black market for resold AI access, where compromised keys are monetized.

Malicious JetBrains and VS Code Extensions

All 15 identified malicious JetBrains plugins exhibited nearly identical codebase, merely repackaged and re-listed under various names and vendor profiles. When a developer entered their API key into a plugin’s settings and clicked “Apply,” the credential was stored locally as expected. Simultaneously, it was surreptitiously forwarded via an unencrypted HTTP POST request to a hardcoded, attacker-controlled server. Crucially, no notification or consent prompt alerted the user to this unauthorized data transmission. Aikido’s analysis further revealed a unique monetization strategy: some plugins offered a paid tier. Upon payment of a small fee, the attacker’s server would return a functional API key to the client. Researchers hypothesize that these returned keys were likely pilfered from free-tier victims, effectively transforming the operation into a credential resale service, generating both illicit revenue and free AI compute for the attackers.

GlassWorm and the Broader VS Code Risk

The GlassWorm threat, initially discovered by Koi Security in October 2025, represents a technically advanced form of attack. It propagated through malicious VS Code extensions distributed via the OpenVSX Registry. This malware ingeniously utilized invisible Unicode characters to embed malicious logic within extension source files. This technique made the harmful code appear as innocuous empty lines to both human code reviewers and automated analysis tools, allowing it to bypass most standard detection mechanisms.

Once activated, GlassWorm systematically harvested GitHub tokens, npm tokens, OpenVSX tokens, and cryptocurrency wallet data. Following data exfiltration, it would then force-push malicious commits to every repository accessible by the victim’s account, thereby spreading the infection to any developer who subsequently cloned those repositories. A collaborative effort involving CrowdStrike, Google, and the Shadowserver Foundation successfully neutralized all four GlassWorm command-and-control channels on May 26, 2026, mitigating further propagation of this sophisticated threat as reported by TrueSec.

What You Should Do

  • Immediate Audit: Conduct a thorough audit of all installed JetBrains plugins and VS Code extensions. Remove any suspicious or unvetted extensions.
  • API Key Revocation: Treat any API key entered into an unvetted or potentially malicious plugin as compromised. Immediately revoke and rotate API keys for services such as OpenAI, Anthropic, DeepSeek, and SiliconFlow via their respective provider dashboards.
  • Network Blocking: Instruct network security teams to block outbound traffic to the attacker’s command-and-control server, specifically the IP address 39.107.60[.]51 and URL hxxp://39.107.60[.]51/api/software/key.
  • Enhanced Review Processes: Organizations should implement and enforce behavioral review, in addition to static code scanning, before approving new IDE plugins and extensions for use within development environments.
  • Stay Informed: Regularly monitor threat intelligence from trusted sources like Aikido Security and the Cloud Security Alliance for updates on developer toolchain security.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwareSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts