Cybercriminals Exploit Fake AI Tools in Targeted Attack on JetBrains Marketplace
Cybercriminals have launched a coordinated supply chain attack targeting software developers through the JetBrains Marketplace, utilizing counterfeit artificial intelligence (AI) tools. This breach was uncovered by Aikido Security, a firm specializing in code security, which identified 15 fraudulent plugins masquerading as AI coding assistants, developed using large language models like DeepSeek.
The initial wave of these malicious plugins was registered at the end of October 2025, with new iterations appearing as recently as June 2026. Seven distinct seller accounts were employed to publish these plugins, which have been downloaded approximately 70,000 times. Among the most downloaded versions are the CodeGPT AI Assistant and DeepSeek AI Assist. In a bid to increase trustworthiness, the attackers also included fake five-star reviews.
The methodologies deployed in this operation parallel those observed in similar cybersecurity breaches. They involve the installation of extensions that surreptitiously exfiltrate users’ private AI authentication credentials to a hard-coded server controlled by the attackers.
The infiltration mechanism features well-structured malicious code embedded within legitimate software that provides authentic functions, such as code reviews and automated Git commit messages. Developers are prompted to enter API keys from platforms like OpenAI and SiliconFlow during a seemingly routine setup process. However, researchers note that the malicious code intercepts the save function in Integrated Development Environments (IDEs)—the primary software used for coding. When a user saves their work, the extension transmits authentication data in plaintext via an unencrypted HTTP connection, silently relaying it to the attackers’ command and control (C2) server without any visual prompts or permission requests.
Aikido’s research further reveals that the malicious campaign incorporates a monetized secondary tier. Users who opt to pay a nominal fee through an in-app donation are reportedly sent functional, unrestricted AI keys from the malicious server. This raises concerns that the keys issued to paying users could very well be those pilfered from other victims, effectively transforming the attack into a service that capitalizes on stolen API access.
This dual-pronged strategy enables attackers to compromise developer credentials while generating revenue, forcing original credential owners to bear the cost of unauthorized compute usage. Notably, the focus on IDEs is an alarming trend; plugins for these environments have elevated privileges and lack strict sandbox restrictions, making them attractive targets for extracting source code, cloud credentials, and API access. This technique echoes tactics used in the GlassWorm malware campaign, which successfully infiltrated the Visual Studio Code ecosystem in late 2025.
Given that IDE plugins operate directly on sensitive development machines, cybersecurity experts strongly recommend that developers exercise the same caution with marketplace extensions as they would with any third-party code dependencies. Business owners should remain vigilant and assess the cybersecurity posture of their development tools to mitigate risks posed by such supply chain vulnerabilities.
The implications of this attack underscore the importance of robust security practices in software development environments. As threats evolve, maintaining an awareness of adversary tactics—ranging from initial access and persistence to privilege escalation as outlined in the MITRE ATT&CK framework—becomes critical for protecting organizational assets.