Malicious IDE Plugins Are Stealing Your API Keys

Your team's JetBrains environment is now an attack vector. Since October 2025, malicious plugins posing as AI coding assistants have been stealing API keys from developer workstations. Two such plugins—CodeGPT AI Assistant and DeepSeek AI Assist—each amassed over 25,000 downloads before Aikido Security exposed them. The stolen credentials are being sent to 39.107.60[.]51, giving attackers direct access to your AI service accounts and billing.

This is not an isolated incident. Developers frequently install IDE plugins and browser extensions without a security review, expanding your attack surface. Your current controls likely don't address this threat model.

Preparing to Secure Your Plugin Ecosystem

Before securing your plugin ecosystem, you need to know what you're dealing with:

Access requirements:

• Admin access to your endpoint management system (Intune, Jamf, or equivalent)
• Read access to your identity provider for API key issuance logs
• Ability to query developer workstations remotely

Technical prerequisites:

• A script execution framework (PowerShell remoting, Ansible, or SSH for remote queries)
• Centralized logging for API usage (CloudTrail, Azure Monitor, or equivalent)
• Your organization's approved software list

Stakeholder alignment:

• Engineering leadership support for new installation policies
• Agreement on acceptable friction levels for developers
• Clear escalation path for blocking critical-but-unapproved tools

Allocate 4-6 hours for initial implementation and testing before organization-wide rollout.

Step-by-Step Implementation

Phase 1: Discover Installed Plugins

Identify every plugin and extension currently running in your environment.

For JetBrains IDEs:

# Linux/Mac workstations
find ~/.config/JetBrains -name "plugins" -type d -exec ls -la {} \;

# Windows workstations (PowerShell)
Get-ChildItem -Path "$env:APPDATA\JetBrains" -Recurse -Directory -Filter "plugins"

Centralize the output. Look for plugin names, installation dates, and version numbers. Cross-reference with the JetBrains Marketplace to identify removed or flagged plugins.

For browser extensions:

# Chrome on Mac
sqlite3 ~/Library/Application\ Support/Google/Chrome/Default/Extensions/Extensions "SELECT * FROM extensions"

# Chrome on Windows (PowerShell)
Get-ChildItem "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Extensions"

Compile a spreadsheet with: developer name, plugin/extension name, install date, and source marketplace.

Phase 2: Identify High-Risk Installations

Flag any plugin that:

• Was installed in the past 90 days but is no longer available in the official marketplace
• Requests network permissions or file system access beyond its stated purpose
• Comes from a publisher with fewer than three published tools
• Has fewer than 1,000 downloads but claims to integrate with major AI services (OpenAI, Anthropic, Google)

For the JetBrains plugins mentioned in the Aikido Security report, search your inventory for:

• CodeGPT AI Assistant
• DeepSeek AI Assist
• Any plugin with "AI Assistant" in the name published after October 2025

Phase 3: Rotate Compromised Credentials

If you find flagged plugins, assume credential compromise.

For API keys:

# List all API keys issued to affected users (AWS example)
aws iam list-access-keys --user-name <developer-username>

# Deactivate and create new keys
aws iam delete-access-key --access-key-id <KEY_ID> --user-name <developer-username>
aws iam create-access-key --user-name <developer-username>

Repeat for OpenAI, Anthropic, Azure OpenAI, and any other AI service your team uses. Check billing logs for unexpected usage spikes from the installation date to today.

Phase 4: Implement Allowlisting

Create an approved plugin list. This isn't about blocking everything—it's about enforcing a review process.

Build your allowlist:

1. Survey your top 20 developers for their must-have plugins
2. Review each plugin's permissions and publisher history
3. Test each plugin in an isolated VM for unexpected network calls
4. Document the business justification for each approved tool

Enforce it technically:

For Windows environments using Intune:

• Deploy a PowerShell script that runs at login
• Script checks installed plugins against your allowlist
• Removes unauthorized plugins and logs the action

For Mac environments using Jamf:

• Create a configuration profile that restricts plugin directories
• Use extension attributes to inventory and report violations

Phase 5: Control API Key Distribution

Stop storing API keys in environment variables or config files where plugins can read them.

Implement a secrets manager:

# Example using AWS Secrets Manager
aws secretsmanager create-secret \
  --name dev/openai-api-key \
  --secret-string "sk-..."

# Developers retrieve keys programmatically
aws secretsmanager get-secret-value \
  --secret-id dev/openai-api-key \
  --query SecretString \
  --output text

Configure your secrets manager to:

• Require MFA for secret retrieval
• Log every access with user identity and timestamp
• Rotate keys automatically every 90 days
• Restrict retrieval to specific IP ranges or VPN endpoints

Validation - How to Verify It Works

Run these checks one week after implementation:

Plugin inventory accuracy:

• Re-scan 10% of developer workstations
• Compare results to your allowlist
• Confirm no flagged plugins remain

API key security:

• Review your secrets manager audit logs
• Verify no plaintext keys exist in git repositories (use truffleHog or gitleaks)
• Check that old keys have been deactivated in each AI service console

Detection capability:

• Attempt to install a non-approved plugin on a test workstation
• Verify your monitoring alerts on the installation
• Confirm the plugin is automatically removed within your defined SLA

Maintenance / Ongoing Tasks

Weekly:

• Review new plugin installation requests from developers
• Check for marketplace removals of currently-approved plugins
• Scan API usage logs for anomalies (usage from unexpected geolocations, volume spikes)

Monthly:

• Audit your allowlist against actual usage—remove approved-but-unused plugins
• Test your automated removal scripts on a subset of workstations
• Review secrets manager access patterns for suspicious behavior

Quarterly:

• Re-evaluate your plugin approval criteria as threats evolve
• Conduct tabletop exercises: "What if a developer bypasses the allowlist?"
• Update your incident response playbook with plugin-specific compromise scenarios

The marketplace model that enhances developer productivity also introduces vulnerabilities. While you can't eliminate this tension, you can make the cost of compromise high enough to keep your team ahead of the next threat.