SURIQ
An AI provider key is money. Not a metaphor for money, actual metered spend that converts straight into compute somebody else gets to use. That is the quiet shift behind the latest supply-chain campaign, and it changes who wants your secrets and why.
Researchers at Aikido Security found at least 15 malicious plugins on the official JetBrains Marketplace, spread over seven publisher accounts and downloaded almost 70,000 times between them. Every one does the job it advertises. It also forwards the AI API key you paste into its settings to a server the attacker controls. The newest of these plugins went live on June 10, 2026, and the campaign traces back to October 2025, so this ran for the better part of a year inside a marketplace developers are told to trust.
What the plugins actually do
These are not broken or obviously sketchy add-ons. They behave like real AI coding helpers, writing commit messages, reviewing diffs, suggesting fixes, drafting tests, and answering questions in a side panel. The biggest names in the set carried tens of thousands of installs apiece: CodeGPT AI Assistant sat near 25,500, and DeepSeek AI Assist topped it at 27,727. Both delivered exactly what their store listing promised.
The theft happens at the one moment you would never look twice at. When you enter your API key in the plugin settings and click Apply, the same handler that stores your key locally also ships a copy of it, in plaintext, to a fixed address the attacker runs at 39.107.60.51. There is no prompt, no confirmation, no second click. The providers caught up in this are OpenAI, DeepSeek, and SiliconFlow, the exact services these plugins are built to talk to.
That design is the point. A plugin that misbehaves on launch gets caught. A plugin that behaves perfectly and skims one secret during a routine settings save sails through the kind of review most teams actually do, which is checking whether the thing works.
The loot is the business model
Aikido's read on the motive is what makes this worth your attention. The stolen keys are not hoarded for some future intrusion. They are resold. The operator collects payment from customers who want cheap AI access, hands them working keys lifted from unpaid victims, and the genuine key owner absorbs the usage costs. Both ends of the trade make money, and the person who actually pays the provider invoice is the mark.
This is a different threat shape than credential theft we are used to. A stolen password is a foothold an attacker has to do something with. A stolen metered API key is already the payoff the moment it works. There is no lateral movement to detect, no privilege to escalate, no malware to drop on a server. The attacker's whole operation is bill your account and pocket the difference.
Why your existing controls miss this
Most secret-scanning lives where teams expect secrets to leak: source repositories, CI pipelines, cloud config, public paste sites. An AI key sitting in a JetBrains plugin's local settings on a developer's laptop is in none of those places. It is in application config on an endpoint, which is a blind spot for repo scanners and for most data-loss tooling.
The detection signal is worse than absent, it is misfiled. When this kind of theft surfaces, it usually surfaces as a billing anomaly, a spend spike on an AI provider account that finance or platform notices before security does. By the time anyone connects the spike to a plugin, the key has been billing strangers for weeks. We have written before about trusted components becoming the blind spot in the auth stack, and this is the same lesson moved into the developer toolchain.
What to do this week
Treat installed IDE plugins as third-party code with access to your secrets, because that is what they are.
- Inventory and prune. Pull a list of JetBrains plugins installed across your developers, flag anything outside a known-good set, and remove AI-assistant, code-review, and Git-helper plugins you cannot account for. The malicious set masqueraded as exactly those three categories.
- Rotate any AI key entered into a third-party plugin. If a developer pasted an OpenAI, DeepSeek, or SiliconFlow key into a marketplace plugin, treat it as exposed and revoke it. Reissue keys scoped to the minimum the integration needs.
- Make billing a security signal. Set spend and rate alerts on every AI provider account and route them somewhere security sees, not just finance. For a resold metered key, the invoice is your earliest detection, so wire it up like one.
- Watch the egress. Outbound HTTP from a developer workstation to
39.107.60.51is a clean indicator for this campaign, and unexpected plaintext POSTs from an IDE process are worth an alert beyond this one server.
The bigger pattern is that AI credentials have become a liquid commodity with a working resale market, and the tools developers install to use AI are the easiest place to grab them. Expect more of this, on more marketplaces, because the economics are clean and the victim pays in a currency that does not trip a security alarm. Govern the plugins your developers install with the same seriousness you give the packages they import, and put a price alert where your first breach notification is going to come from anyway.