Fake AI Coding Plugins Are Draining DeepSeek and OpenAI API Keys

Frequently asked

How do fake reviews on developer marketplaces pass moderation?

Plugin marketplaces like JetBrains rely primarily on automated heuristics and community flagging rather than manual review of every submission. Coordinated fake reviews — even a small number posted in sequence — can push a malicious plugin past credibility thresholds before organic users install it in large enough numbers to trigger reports. The attack exploits the gap between publication speed and review depth.

Which AI API keys are most at risk in a multi-model developer environment?

Any key stored in environment variables, IDE configuration files, or shell profiles is exposed. DeepSeek and OpenAI keys were confirmed targets in this campaign. Developers running Ollama, Claude, or other local-plus-cloud hybrid setups store multiple provider credentials in the same environment — meaning a single malicious plugin can harvest access to several frontier models at once.

What should a developer do immediately after installing an unknown JetBrains plugin?

Rotate all AI provider API keys immediately — do not wait for confirmation of compromise. Audit installed plugins against the official JetBrains plugin ID list and remove any installed in the past 90 days that cannot be verified against a known publisher. Check shell profiles and IDE environment config for any unexpected variable reads logged during recent sessions.

More on this wire