- Fifteen malicious plugins on the JetBrains Marketplace have been stealing AI provider API keys in a campaign active since October 2025.
- Two of the fraudulent plugins, CodeGPT AI Assistant and DeepSeek AI Assist, have been downloaded over 25,000 times each, according to Aikido Security.
- Separately, two Chrome ad blocker extensions with over 100,000 combined users have been covertly stealing user conversations with major AI chatbots.
- The operations highlight a growing trend of threat actors targeting developers and users to steal valuable AI credentials and data.
Cybersecurity researchers have uncovered a coordinated malware campaign on the JetBrains Marketplace involving fifteen malicious plugins designed to steal AI provider keys. This ongoing threat, which began in late 2025, has successfully targeted developers through seemingly functional AI coding assistants.
Aikido Security researcher Ilyas Makari detailed that the plugins, posing as tools from DeepSeek and others, covertly exfiltrate user-entered API keys. The stolen keys are sent to a remote attacker-controlled server in plaintext, “while the genuine key owners pay the bill.”
Consequently, the campaign may operate as an illicit monetization scheme where stolen keys are shared. This activity exemplifies how threat actors are increasingly targeting developer environments for valuable secrets.
Meanwhile, a separate operation codenamed PromptSnatcher has been stealing AI chatbot conversations via malicious Chrome extensions. Two ad blocker extensions with a combined 100,000 users have been intercepting private chats from platforms like ChatGPT and Gemini.
These Prompt Poaching attacks capture full conversation histories and model usage data without clear user consent. The discovery underscores the expanding threat landscape targeting AI services and their users directly.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
