{"id":1345,"date":"2026-06-17T09:50:49","date_gmt":"2026-06-17T09:50:49","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=1345"},"modified":"2026-06-17T09:50:49","modified_gmt":"2026-06-17T09:50:49","slug":"malicious-jetbrains-plugins-steal-ai-api-keys-as-chrome-extensions-capture-chatbot-chats","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=1345","title":{"rendered":"Malicious JetBrains Plugins Steal AI API Keys as Chrome Extensions Capture Chatbot Chats"},"content":{"rendered":"<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg2aRb82ydrk_lAXr6Yy-GmrPfQSaIuCNYTtB8dFm02DZWhJVj3bmjB3WLhWDUtiFmrGC3lHdeLfA2NtC6oHKJDAdW7ot4f3HQDyLw2Ep3q49BnOkuBWOPP2OuN1I1HNFknxPyQNpEZEnEt-8KhV2nx_HcaEiBm8Rdh7blevc3I1GjuBMLL1xOpJThFuJpE\/s1700-e365\/hi.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>Cybersecurity researchers have flagged a \u00abcoordinated malware campaign\u00bb on the JetBrains Marketplace that has published no less than 15 malicious plugins capable of exfiltrating artificial intelligence (AI) provider keys.<\/p>\n<p>\u00abEvery plugin poses as an AI coding assistant built on DeepSeek and other large language models, offering chat, commit messages, code review, bug finding, and unit tests,\u00bb Aikido Security researcher Ilyas Makari <a href=\"https:\/\/www.aikido.dev\/blog\/multiple-jetbrains-ide-plugins-caught-stealing-ai-keys\">said<\/a>. \u00abThey function exactly as advertised. However, the AI provider API key you enter gets exfiltrated to a server controlled by the attacker.\u00bb<\/p>\n<p>The activity is said to have been ongoing since the end of October 2025, with new plugins released as recently as June 10, 2026. Two of the plugins, CodeGPT AI Assistant and DeepSeek AI Assist, have more than 25,000 downloads each, although it&#8217;s not clear if the counts are authentic or if they have been inflated to fake their popularity.<\/p>\n<p>The complete list of plugins is below &#8211;<\/p>\n<p><a name=\"more\"\/><\/p>\n<ul>\n<li>DeepSeek Junit Test (org.sm.yms.toolkit)<\/li>\n<li>DeepSeek Git Commit (com.json.simple.kit)<\/li>\n<li>DeepSeek FindBugs (org.bug.find.tools)<\/li>\n<li>DeepSeek AI Chat (org.translate.ai.simple)<\/li>\n<li>DeepSeek Dev AI (com.yy.test.ai.simple)<\/li>\n<li>DeepSeek AI Coding (com.dev.ai.toolkit)<\/li>\n<li>AI FindBugs (com.json.view.simple)<\/li>\n<li>AI Git Commitor (com.my.git.ai.kit)<\/li>\n<li>AI Coder Review (org.check.ai.ds)<\/li>\n<li>DeepSeek Coder AI (com.review.tool.code)<\/li>\n<li>AI Coder Assistant (org.code.assist.dev.tool)<\/li>\n<li>DeepSeek Code Review (com.coder.ai.dpt)<\/li>\n<li>CodeGPT AI Assistant (com.my.code.tools)<\/li>\n<li>DeepSeek AI Assist (ord.cp.code.ai.kit)<\/li>\n<li>Coding Simple Tool (com.dp.git.ai.tool)<\/li>\n<\/ul>\n<p>Aikido Security said all 15 plugins share a similar codebase, requiring users to open the settings panel and enter an API key for an AI like OpenAI, SiliconFlow, or DeepSeek in order to carry out the promised functionality.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/ai-cant-stop-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjPEV6-530TOlxG6PjrmdlY623wpBwduZ7t1HV6flcmO5R4q4AmfixDUzW0CrhlvMVNWbhvOIso-UDNTka4W_W9Chrdj_dglwBZwi7DuePM2IMIl-hfUYVIqBXgfpr_2619K8Gptb4LzwJ6gUbi7lWl2M8AFQJsHEaw63Q7tZ6708YGruiHrr0Y2W9YYxLQ\/s728-e100\/ThreatLocker-d.png\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>While the plugins work as they are intended to, they have been found to sneak in the ability to covertly siphon the provided API key to a remote server (\u00ab39.107.60[.]51\u00bb) under the attacker&#8217;s control over an HTTP request in plaintext format.<\/p>\n<p>\u00abThe plugins also run a paid tier,\u00bb the company said. \u00abAfter a user pays a small fee through the donation wall built into the plugin, the server sends an API key back down to the client, and the plugin starts using that key for its model calls instead of your own, which is bizarre, since no legitimate operator would simply hand a user a working and unrestricted key to a paid AI provider.\u00bb<\/p>\n<p>This has raised the possibility that the operators behind the campaign are likely sharing the stolen AI provider API keys with other threat actors as part of an illicit monetization scheme, effectively turning it into a service that grants paying users access to the victim&#8217;s AI provider.<\/p>\n<p>\u00abThe operator collects money on one side and free credentials on the other, while the genuine key owners pay the bill,\u00bb Makari added.<\/p>\n<p>The campaign is further evidence of how threat actors are <a href=\"https:\/\/www.stepsecurity.io\/blog\/miasma-and-hades-are-spreading-now-detect-them-on-developer-machines-with-suspicious-files\">increasingly targeting developer environments<\/a> through the open-source ecosystem, which has become a lucrative target owing to the fact that they host source code, cloud credentials, signing keys, and API keys for paid AI services that can be resold for LLMjacking schemes.<\/p>\n<p>\u00abTreat a plugin the same way you would treat any dependency that runs with your privileges, and be cautious about pasting long-lived secrets into tools you have not vetted,\u00bb Aikido Security said.<\/p>\n<h3>Malicious Chrome Extensions Steal AI Conversations<\/h3>\n<p>The development coincides with the discovery of two Google Chrome ad blocker extensions that have been caught capturing users&#8217; conversations with AI chatbots like OpenAI ChatGPT, Anthropic Claude, Google Gemini, Microsoft Copilot, Perplexity, DeepSeek, xAI Grok, and Meta AI. The data collection operation has been codenamed <a href=\"https:\/\/malext.io\/reports\/PromptSnatcher\/\">PromptSnatcher<\/a> by researcher Jean-Marie R.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/vpn-threat-report-m\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhFlTC7RrRZGiFAgASS0noWSL0qsQGFVp8-Hvuw9yp3X3VKRuTcb5SsPX09wJzrdIM6pu1_5lS4EeZp7Sx4iYBpNJkrGnpr08yyaS1HQ5_5TxaCsP6O0OtHNuOkesn6CbNjao1GPulCJk-uljYMSfMZfBYNrngpe669t7jlRn1FqiEnXhsFD1WVkpaYIVgh\/s728-e100\/ai-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>The names of the extensions, which are still available on the Chrome Web Store, are as follows &#8211;<\/p>\n<ul>\n<li>Smart Adblocker (ID: iojpcjjdfhlcbgjnpngcmaojmlokmeii) &#8211; 90,000 users (Published in October 2022)<\/li>\n<li>Adblock for Browser (ID: jcbjcocinigpbgfpnhlpagidbmlngnnn) &#8211; 10,000 users (Published in August 2023)<\/li>\n<\/ul>\n<p>\u00abWhile presented as ad blockers, the extensions ship a custom-built interception engine that records non-public conversations, model usage, and account-tier metadata from every major AI platform (ChatGPT, Claude, Gemini, and others),\u00bb the researcher said. \u00abThe operation uses legitimate public filter lists (EasyList, IDCAC) as functional cover, providing genuine ad-blocking utility while running an undisclosed telemetry channel.\u00bb<\/p>\n<p>The fact that the two extensions have been around for several years indicates that the AI-related updates were introduced in the form of software updates.<\/p>\n<p>These efforts are part of an attack technique called Prompt Poaching. Over the past several months, browser extensions, both legitimate and malicious, have been observed adopting this method to stealthily capture AI chats. What&#8217;s unclear is whether these practices violate Google&#8217;s policies for browser extensions.<\/p>\n<p>\u00abThe extensions intercept full AI conversation history, model usage, and subscription tier from eight platforms, and transmit this data to operator-controlled infrastructure without notification to the user beyond a generic &#8216;Enhanced Protection&#8217; consent string,\u00bb the researcher noted.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Cybersecurity researchers have flagged a \u00abcoordinated malware campaign\u00bb on the JetBrains Marketplace that has published no less than 15 malicious plugins capable of exfiltrating artificial intelligence (AI) provider keys. \u00abEvery&hellip;<\/p>\n","protected":false},"author":1,"featured_media":1346,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[14,2078,1805,2079,182,361,2076,144,33,2077,571],"class_list":["post-1345","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-api","tag-capture","tag-chatbot","tag-chats","tag-chrome","tag-extensions","tag-jetbrains","tag-keys","tag-malicious","tag-plugins","tag-steal"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/1345","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1345"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/1345\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/1346"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1345"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1345"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1345"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}