70,000 Developers Installed These JetBrains Plugins. Every AI API Key They Typed Went to Beijing.

Fifteen plugins sat in the JetBrains Marketplace for eight months. They worked. They provided AI code review, commit message generation, bug finding, unit test creation — exactly what they advertised. They also silently POSTed every AI API key a developer typed into their settings to a server in Beijing the moment the developer clicked Apply.

The campaign ran from October 2025 to June 10, 2026. Combined installs across the fifteen plugins exceeded 70,000. JetBrains pulled them on June 16 and remotely disabled installed copies. The keys were already gone.

What the plugins did

Every one of the fifteen plugins presented as a DeepSeek-powered or AI-assisted coding tool. The names were designed to blend into the noise of an IDE plugin marketplace: DeepSeek AI Coding, AI Coder Review, CodeGPT AI Assistant, DeepSeek FindBugs, AI Git Commitor, and ten variants on the same theme. Seven separate publisher accounts were used to distribute them, which slowed detection by preventing any single account from accumulating enough installs or reports to trigger a review.

The credential theft mechanism was not hidden in the plugin code in any sophisticated way. When a user opened the plugin settings panel, entered their OpenAI, DeepSeek, or SiliconFlow API key, and clicked Apply — the standard configuration workflow — the plugin transmitted that key in plaintext over HTTP to 39.107.60[.]51/api/software/key. No encryption. No obfuscation in the network request. The key left the developer's machine readable by anyone on the path between their IDE and that server.

The server resolves to AS37963 — Alibaba Cloud's advertising subsidiary in Beijing.

The two highest-volume plugins — DeepSeek AI Assist with 27,727 downloads and CodeGPT AI Assistant with approximately 25,571 — account for most of the installation base. The remaining thirteen divided the rest. The operator ran the campaign for eight months by staying below individual thresholds while accumulating scale across multiple accounts.

The full plugin list

All fifteen were removed on June 16. If any of these names appear in your IntelliJ IDEA, PyCharm, WebStorm, GoLand, or other JetBrains IDE plugin list, treat the associated API keys as compromised:

DeepSeek Junit Test (org.sm.yms.toolkit) · DeepSeek Git Commit (com.json.simple.kit) · DeepSeek FindBugs (org.bug.find.tools) · DeepSeek AI Chat (org.translate.ai.simple) · DeepSeek Dev AI (com.yy.test.ai.simple) · DeepSeek AI Coding (com.dev.ai.toolkit) · AI FindBugs (com.json.view.simple) · AI Git Commitor (com.my.git.ai.kit) · AI Coder Review (org.check.ai.ds) · DeepSeek Coder AI (com.review.tool.code) · AI Coder Assistant (org.code.assist.dev.tool) · DeepSeek Code Review (com.coder.ai.dpt) · CodeGPT AI Assistant (com.my.code.tools) · DeepSeek AI Assist (ord.cp.code.ai.kit) · Coding Simple Tool (com.dp.git.ai.tool)

Where this sits in the pattern

We have been writing about AI tooling as an attack surface since April. The supply chain campaigns have been moving up the stack. Mastra easy-day-js two days ago hit the npm packages AI agents depend on at install time. Phantom Gyp in early June hit the native module build system. The JetBrains campaign hits the IDE configuration layer — not the packages, not the build, but the tool the developer is actively using to write the code.

The credential being targeted has also shifted. Earlier supply chain campaigns went after cloud credentials, CI/CD tokens, and SSH keys — infrastructure access. The JetBrains campaign went specifically for AI API keys. That is a narrower, higher-value target given current market pricing: an OpenAI key with a funded account is a monetizable asset that can be sold or used directly for inference at the account owner's cost.

An OpenAI key with a $100 prepaid balance is worth more to a credential thief than a generic cloud access token if the cloud account requires further exploitation to monetize. AI API keys are immediately liquid. This campaign understood that.

What to do

JetBrains has remotely disabled the plugins in installed IDEs. If you had any of the fifteen installed, the plugin is no longer active — but the key you typed was already sent. Rotate every AI API key you configured in a JetBrains plugin settings panel. Check your OpenAI, DeepSeek, and SiliconFlow usage logs for unexpected inference calls between October 2025 and June 16, 2026.

Block 39.107.60[.]51 at your egress — we indexed it this morning at confidence 90. If you run developer workstations with outbound monitoring, hunt for plaintext HTTP connections to that IP, particularly with request bodies containing the string key or api_key from IDE processes.

We are at 95 percent on the attribution to this specific infrastructure. The broader question of who ran it and whether the collected keys were used for resale, unauthorized inference, or intelligence collection from developer codebases is unresolved.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register