Full Report
Cybersecurity researchers have flagged a "coordinated malware campaign" on the JetBrains Marketplace that has published no less than 15 malicious plugins capable of exfiltrating artificial intelligence (AI) provider keys. "Every plugin poses as an AI coding assistant built on DeepSeek and other large language models, offering chat, commit messages, code review, bug finding, and unit tests,"
Analysis Summary
# Tool/Technique: Malicious JetBrains AI Plugins (DeepSeek Themes)
## Overview
This is a coordinated malware campaign involving at least 15 malicious plugins hosted on the official JetBrains Marketplace. These plugins masquerade as legitimate AI-powered coding assistants (leveraging models like DeepSeek) to trick developers into installing them. Once integrated into the IDE, the plugins exfiltrate sensitive AI provider API keys used for development.
## Technical Details
- **Type:** Malware (Spyware/Infostealer)
- **Platform:** Windows, macOS, Linux (via JetBrains IDEs: IntelliJ IDEA, PyCharm, WebStorm, etc.)
- **Capabilities:** Credential exfiltration, plugin-based persistence, social engineering.
- **First Seen:** Early 2024 (Reported May 2024)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1195.002 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools
- **TA0003 - Persistence**
- T1546 - Event Triggered Execution (IDE Startup)
- **TA0006 - Credential Access**
- T1552.001 - Credentials In Files
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Social Engineering:** Mimics popular AI trends (DeepSeek, LLM assistants) to gain trust.
- **Functional Masking:** Provides actual AI-related features (chat, unit tests) to delay detection of malicious background tasks.
- **Credential Harvesting:** Specifically targets API keys for AI services (OpenAI, Anthropic, DeepSeek, etc.) stored within the developer's environment or IDE settings.
### Advanced Features
- **IDE Integration:** Runs with the permissions of the IDE process, allowing it to bypass standard application-level sandboxing on the host OS.
- **Coordinated Campaign:** Rapid publication of 15+ variations to maximize reach before individual takedowns occur.
## Indicators of Compromise
- **File Hashes:** *(Note: Specific hashes vary per variant; commonly distributed as .jar plugin files)*
- **File Names:**
- DeepSeek [Plugin Name]
- AI Assistant for [Language]
- JetBrains DeepSeek Integration
- **Registry Keys:** N/A (Plugin configurations usually reside in IDE config directories)
- **Network Indicators:**
- hxxp[://]api[.]deepseek-jetbrains[.]com (Example defanged URL)
- hxxps[://]plugin-telemetry[.]xyz (Example defanged URL)
- **Behavioral Indicators:**
- Outbound HTTP requests to non-standard domains immediately after plugin installation.
- Frequent reading of `settings.xml` or environment variable files containing "KEY" or "API" strings.
## Associated Threat Actors
- **Unknown:** Currently attributed to a coordinated but unidentified group capitalizing on the AI/LLM hype cycle.
## Detection Methods
- **Signature-based detection:** Scanning the JetBrains "plugins" folder for known malicious JAR signatures.
- **Behavioral detection:**
- Monitoring for IDE processes (pycharm.exe, idea64.exe) making unexpected network connections to unknown domains.
- Monitoring file access patterns involving config files or `.env` files within the IDE workspace.
- **YARA rules:** Scanning for strings related to common AI API key prefixes (e.g., `sk-`, `org-`) combined with outbound HTTP POST logic within Java class files.
## Mitigation Strategies
- **Prevention measures:**
- Only install plugins from verified publishers or those with a high download count and long-standing history.
- Implement a "Plugin Allowlist" policy for corporate development environments.
- **Hardening recommendations:**
- Use environment variables for API keys rather than hardcoding them in global IDE settings.
- Utilize IDE "Secret Storage" features or external Vaults (HashiCorp Vault, AWS Secrets Manager) instead of local configuration files.
## Related Tools/Techniques
- **PyPI/NPM Typosquatting:** Similar methodology used to infect developer environments via package managers.
- **Chrome Extension Malware:** Parallel technique of using browser extensions to exfiltrate cookies and keys.