Answer Brief
Researchers uncovered 15 malicious JetBrains plugins posing as AI coding assistants that exfiltrate API keys for OpenAI, DeepSeek, and other LLMs, alongside two Chrome extensions stealing AI chat conversations from major platforms, highlighting supply chain risks in developer tools and browser extensions.
Signal Timeline
A quick visual path for analysts before reading the full brief.
- 1
Campaign activity began with initial malicious plugin releases
- 2
Adblock for Browser Chrome extension published
- 3
Smart Adblocker Chrome extension published
- 4
Most recent malicious JetBrains plugin released
Executive Summary: Researchers uncovered 15 malicious JetBrains plugins posing as AI coding assistants that exfiltrate API keys for OpenAI, DeepSeek, and other LLMs, alongside two Chrome extensions stealing AI chat conversations from major platforms, highlighting supply chain risks in developer tools and browser extensions.
Why It Matters
The discovery of 15 malicious JetBrains plugins represents a significant supply chain security threat targeting AI developer workflows. These plugins, hosted on the official JetBrains Marketplace, mimic legitimate AI coding assistants by offering features such as chat, commit message generation, code review, bug finding, and unit tests—functions that require access to AI provider API keys. However, once users enter their API keys for services like OpenAI, DeepSeek, or SiliconFlow, the plugins exfiltrate this sensitive data to an attacker-controlled server at 39.107.60[.]51 via plaintext HTTP requests. The campaign has been active since at least October 2025, with updates as recent as June 10, 2026, indicating sustained operation and evasion of detection. Notably, two plugins—CodeGPT AI Assistant and DeepSeek AI Assist—each report over 25,000 downloads, though researchers caution these numbers may be inflated to falsely establish credibility and lure more victims. A particularly troubling aspect of the plugin behavior is the post-payment mechanism: after users pay a small fee via an integrated donation wall, the attacker’s server returns a valid API key to the client, enabling the plugin to function using that key instead of the user’s own. This unusual tactic suggests a possible illicit service model where stolen API keys are redistributed to paying users, effectively allowing threat actors to profit twice—once from user payments and again from the unauthorized use of victims’ AI quotas and billing, a scheme aligned with LLMjacking monetization. Parallel to this, the identification of two long-standing Chrome extensions—Smart Adblocker (90,000 users, since October 2022) and Adblock for Browser (10,000 users, since August 2023)—reveals a concurrent threat vector: the theft of AI conversation data. These extensions, which appear to function as legitimate ad blockers using public filter lists like EasyList and IDCAC, have been found to include a hidden interception engine that captures full chat histories, model usage, and subscription-tier metadata from eight major AI platforms. The operation, dubbed "PromptSnatcher," transmits this data to attacker infrastructure without clear user notification, relying only on a generic "Enhanced Protection" consent string. The multi-year presence of these extensions suggests the AI data exfiltration functionality was added via stealthy updates, a tactic consistent with the growing trend of "Prompt Poaching" where browser add-ons are weaponized to harvest sensitive AI interactions under false pretenses. Together, these threats underscore a broader shift in attacker focus toward the AI supply chain: compromising trusted developer tools and widely used browser extensions to steal both credentials (API keys) and sensitive interaction data (prompts, responses, usage patterns). Such data can be used to hijack AI service accounts, reconstruct proprietary prompts, infer model behavior, or facilitate further social engineering. The fact that these campaigns operate within legitimate marketplaces—JetBrains Marketplace and Chrome Web Store—highlights the limitations of relying solely on platform vetting and the need for runtime scrutiny of tool behavior, especially when handling secrets or communicating externally. For global security, AI, and developer operations teams, the implications are clear: any tool that requests AI API keys or processes AI chat data must be treated as a high-risk asset. Organizations should enforce strict vetting of IDE plugins and browser extensions, monitor for unauthorized outbound connections to unfamiliar domains, and consider implementing API key usage anomaly detection. Additionally, user education must emphasize that even seemingly benign tools—ad blockers, coding assistants—can pose significant risks if not properly scrutinized. As AI integration deepens across development workflows, securing the periphery of AI usage—where keys are entered and conversations occur—has become as critical as protecting the models themselves.
Event Type: security
Importance: high
Affected Companies
- Aikido Security
- Anthropic
- DeepSeek
- JetBrains
- Meta
- Microsoft
- OpenAI
- Perplexity
- SiliconFlow
- xAI
Affected Sectors
- AI security
- browser extensions
- developer tools
- supply chain security
Key Numbers
- Malicious JetBrains plugins identified: 15
- Downloads for CodeGPT AI Assistant plugin: 25,000+
- Downloads for DeepSeek AI Assist plugin: 25,000+
- Users of Smart Adblocker Chrome extension: 90,000
- Users of Adblock for Browser Chrome extension: 10,000
- Attacker server IP for API key exfiltration: 39.107.60[.]51
Timeline
- Campaign activity began with initial malicious plugin releases
- Adblock for Browser Chrome extension published
- Smart Adblocker Chrome extension published
- Most recent malicious JetBrains plugin released
- Researchers publicly disclosed the coordinated malware campaign
Frequently Asked Questions
How do the malicious JetBrains plugins steal AI API keys?
The plugins pose as legitimate AI coding assistants for DeepSeek and other LLMs, requiring users to enter API keys in settings. While functioning as advertised, they covertly exfiltrate the entered API keys via HTTP requests to an attacker-controlled server (39.107.60[.]51) in plaintext format.
What is the bizarre behavior observed after users pay via the donation wall in these plugins?
After a user pays a small fee through the plugin's donation wall, the attacker's server sends back a working API key to the client, allowing the plugin to use that key for model calls instead of the user's own—suggesting the operators may be sharing stolen keys with paying users as part of an illicit monetization scheme.
What AI platforms are targeted by the malicious Chrome extensions known as PromptSnatcher?
The Chrome extensions intercept and exfiltrate conversations, model usage, and subscription tier data from eight major AI platforms: OpenAI ChatGPT, Anthropic Claude, Google Gemini, Microsoft Copilot, Perplexity, DeepSeek, xAI Grok, and Meta AI.
Why are developer environments and browser extensions increasingly targeted in AI-related attacks?
Developer environments host source code, cloud credentials, signing keys, and API keys for paid AI services, making them lucrative targets for LLMjacking. Browser extensions, even legitimate ones, can be updated to add covert telemetry channels that steal AI chat data under the guise of enhanced protection or ad blocking.
What mitigation advice do researchers provide for handling plugins and extensions?
Treat any plugin or extension as a dependency running with your privileges; avoid pasting long-lived secrets like API keys into unvetted tools; and rigorously review permissions and behavior, especially when tools request access to sensitive data or external communication.