Fifteen plugins, close to seventy thousand installs, and every one of them hid the same function: the moment you typed your artificial intelligence key into the settings box and clicked "Apply," it left, without warning, for a server that was not yours.
What betrayed these developers was not a sophisticated attack. It was a convenience feature doing exactly what it promised, with one extra line: it saved your key for you and sent a copy to someone else. The attack surface is no longer the artificial intelligence itself, it is the assistant you bolt on top of it. Nobody broke in. You installed the thief and handed over the key.
How a setting became a leak
The research comes from Aikido Security. Researcher Ilyas Makari found fifteen malicious plugins, published under seven different accounts, on the JetBrains Marketplace, the add-on store for one of the most widely used programs for writing code. Each posed as an AI coding assistant built on DeepSeek and other models, and they worked: chat, code review, bug finding. The two most downloaded, "DeepSeek AI Assist" and "CodeGPT AI Assistant," together passed fifty thousand installs.
The trick sat in the box where you enter your API key, the credential that grants access (and charges) to your account with the AI providers. "The moment you click Apply, the settings handler stores your key and also forwards it to the attacker," Makari summed up. The keys targeted were those for OpenAI, DeepSeek and SiliconFlow, sent to a fixed server in plain text. The first plugins appeared in October 2025; the most recent was published on 10 June 2026.
JetBrains received the reports on 16 June, removed all fifteen plugins, shut down the seven accounts and disabled them remotely in the environments where they were already installed. The company's advice was blunt: treat any key entered into these plugins as exposed, revoke it and generate a new one.
It is not just developers
The same pattern repeats outside of code. In late 2025, OX Security caught two Chrome extensions, with around nine hundred thousand users between them, disguised as AI sidebars for ChatGPT, Claude and DeepSeek. They read the conversations straight off the page and sent them out every thirty minutes. The most popular even carried Google's "Featured" badge. "This data can be weaponized for corporate espionage, identity theft, targeted phishing campaigns, or sold on underground forums," OX Security warned.
In Portugal this is not abstract. The National Cybersecurity Centre warned in November 2025 that around 80% of the malicious code detected in the country over the year was the infostealer type, software built to quietly harvest credentials and whatever is stored in your browser. The plugin and the extension are exactly that, wearing a friendly artificial intelligence face.
What makes this work is not technical genius, it is trust placed in the wrong layer. An API key hands whoever holds it your money and your identity with the provider. A conversation with a chatbot keeps whatever you paste into it: code, contracts, passwords, internal plans. We have learned to distrust the email and the strange link, yet we still install the add-on with five stars and a nice logo without a second thought. A key, once it leaves, cannot be called back.
How to protect yourself
The steps are simple and apply to developers and to anyone who uses extensions:
- Treat any key you have entered into a third-party plugin or extension as already compromised: revoke it and generate a new one on the provider's site.
- For integrations, use keys with limited permissions and spending caps, never your main key.
- Install plugins and extensions only from publishers you can verify; the download count and a "Featured" badge are not a security guarantee.
- Review what you have installed in your code editor and your browser and remove what you do not use; every add-on is a door.
- Turn on multi-factor authentication and do not store work credentials in a personal browser.
The next big data breach may not need to break into you. It is enough that you install, in good faith, the one who will commit it, and hand it the key at the door.
Sources: The Hacker News, Aikido Security, JetBrains, OX Security, CNCS.
#StaySafe
🙏🖖
