Malicious AI plugins steal your API keys: the fake-assistant scam of 2026
The "AI" label has become bait. In June 2026, researchers reported roughly 15 malicious plugins on the JetBrains Marketplace posing as AI coding assistants, some with 25,000-plus installs each, quietly sending developers' OpenAI and DeepSeek API keys to attacker servers. A paired campaign called PromptSnatcher disguises two Chrome extensions as ad blockers and reads your ChatGPT, Claude and Gemini conversations. The danger is not the word "AI". It is the source and the permissions.
Verdict: real and active threat
Some "AI assistant" IDE plugins and "ad blocker" browser extensions are spyware that steal your AI API keys and your chatbot conversations. The Hacker News and BleepingComputer reported in mid-June 2026 that around 15 malicious JetBrains Marketplace plugins posing as AI coding assistants, with names like CodeGPT AI Assistant and DeepSeek AI Assist and some with 25,000-plus installs each, exfiltrate a developer's OpenAI, DeepSeek and SiliconFlow API keys in plaintext over unencrypted HTTP to attacker-controlled servers. The newest malicious plugin was published June 10, 2026. A separate campaign nicknamed PromptSnatcher uses two Chrome extensions disguised as ad blockers to silently capture your sessions with ChatGPT, Claude, Gemini, Copilot, Perplexity and Grok, exfiltrating both your prompts and the answers. The red flag is never the "AI" name. It is an unverified publisher plus broad permission to read every site or all your AI chat tabs. Install only from verified publishers, audit the permissions, and rotate any exposed key at the provider immediately. A real coding tool does not need to read all your browser tabs, and a real ad blocker does not need to read your ChatGPT chats.
Why attackers are dressing malware up as "AI"
Developers and AI power users are the target, and that is deliberate. These are exactly the people who hold something worth stealing: a paid API key tied to a billing account, and chat logs stuffed with source code, secrets, internal plans and customer data. The "AI" label is the lure because everyone is installing AI tooling right now, and a new assistant plugin or a "smarter" ad blocker does not raise an eyebrow.
Two things make the theft quiet. An API key sits in your editor config or your environment, ready to be read by any plugin you trust enough to install. And a browser extension you grant "read your data on all websites" can see the contents of your open tabs, including the page where you are chatting with a model. Neither attack needs your password. It needs your trust at install time, which the "AI" branding and a faked install count are designed to win.
The fake AI coding plugins that grab your keys
In mid-June 2026, The Hacker News and BleepingComputer reported that researchers found roughly 15 malicious plugins on the JetBrains Marketplace, the add-on store for IDEs like IntelliJ IDEA, PyCharm and WebStorm. They pose as AI coding assistants, with names built to sound familiar, such as CodeGPT AI Assistant and DeepSeek AI Assist. Some carried 25,000-plus installs each, and the install counts plus reviews can be inflated to look established. The newest malicious plugin in the set was published on June 10, 2026, so this is current, not a cleared-up old incident.
The plugins do offer some assistant-like behavior, which is the cover. Underneath, they read the developer's stored AI API keys, the OpenAI, DeepSeek and SiliconFlow credentials you configured so the tool can talk to a model, and send them in plaintext over unencrypted HTTP to a server the attacker controls. Plaintext over HTTP means there is no encryption protecting the key in transit, and anyone watching the network path, not just the operator, could read it.
What does a stolen API key cost you? An attacker can run their own workloads on your account and let the bill land on you, which for a heavily used key can be a serious figure, or they can resell access to your key in bulk. Your provider sees the usage as yours. This is the same "trusted-tool" trap we covered in the fake wallet browser extension scam, only the prize here is your model credentials instead of your crypto.
Why fake install counts are not proof
A high install number feels like a safety signal. It is not. Counts and reviews can be padded, and a plugin that looks popular can still be days old and malicious, as the June 10 publish date shows. The signal that matters is who published it and what it asks to access, not how many people supposedly trusted it before you.
PromptSnatcher: fake ad blockers that read your AI chats
The paired campaign, nicknamed PromptSnatcher, attacks from the browser side. Two Chrome extensions present themselves as ad blockers, a category users install without much thought and expect to touch every page. That broad reach is the point. Instead of blocking ads, they read the AI chat pages you open and silently capture your conversations with ChatGPT, Claude, Gemini, Copilot, Perplexity and Grok, exfiltrating both your prompts and the model's answers.
Think about what you actually type into a chatbot. Code you are debugging, with the secret still in it. A draft of an unannounced product. A customer record you pasted in to summarize. Personal questions you would never say out loud. PromptSnatcher hands all of that to whoever runs the extension. A leaked chat log is not abstract, it is your source code and your business plans in someone else's hands. The official chat sites themselves, chatgpt.com and claude.ai, are not the problem here. The spy is the extension reading the page on top of them.
Check a download or install link before you trust it
About to install an "AI assistant" plugin or an extension from a link someone sent, an ad, or a search result? Paste the page or download URL below first. Our 3-layer engine (Local + APIs + AI) returns a verdict in about 3 seconds. Free, no signup. This checks the page and link, not the code inside an extension you have already installed, so also audit the publisher and permissions.
Red flags of a malicious AI plugin or extension
- An unverified or unfamiliar publisher. The author is not a verified publisher and is not the company whose name the tool borrows. A plugin named for a famous model does not mean the famous company made it.
- It asks for broad read access to every site. An extension that requests "read and change your data on all websites," or specifically on your AI chat domains, can see what you type into ChatGPT, Claude or Gemini. An ad blocker does not need to read your chats.
- A plugin that wants your API keys for no clear reason. Some assistant tools legitimately use a key you provide. Be sure the publisher is trustworthy before you paste one, because a malicious plugin can simply forward it.
- Impressive but unverifiable install counts. 25,000 installs sounds safe and can be faked. Recent publish dates on a "popular" tool are a tell.
- It is not the official first-party tool. The real assistant from a given AI provider comes from that provider's own listing and verified publisher, not a lookalike with a similar name.
- Vague or copied descriptions and screenshots. Lifted branding and a thin description that does not match the requested permissions is a warning.
What to do
- Install only from verified publishers. In a marketplace like the JetBrains Marketplace or chromewebstore.google.com, check the publisher name against the real company, and prefer the official first-party tool from the AI provider itself.
- Audit the permissions before you install. If an extension asks to read data on all sites and you cannot explain why it needs that, do not install it. Match the permission to the stated job.
- Rotate any exposed API key immediately. If you installed one of these plugins, assume the key is compromised. Sign in to your provider, such as the OpenAI dashboard, revoke the old key, generate a new one, and check the usage and billing for charges that are not yours.
- Remove unused plugins and extensions. Every add-on you keep is attack surface. Open your IDE plugin list and your browser extension list and uninstall what you do not actively use.
- Treat your chat history as exposed if you ran a fake ad blocker. Assume anything you typed into a chatbot while it was installed was read. Rotate any secrets you pasted, and tell your team if work data was involved.
How to report it
- Report the listing to the marketplace. Both the JetBrains Marketplace and the Chrome Web Store at chromewebstore.google.com have abuse-report links. Flagging a malicious plugin or extension gets it pulled and protects the next developer.
- Tell your AI provider about a stolen key. Contact the provider whose key was exposed so they can watch for abuse, and revoke the key from your own dashboard right away.
- In the US, report loss or fraud to the FBI Internet Crime Complaint Center at ic3.gov and to the FTC at reportfraud.ftc.gov if a stolen key ran up charges or a chat leak caused harm.
- Warn your team and the impersonated brand. If a fake tool borrowed a real company's name, that company wants to know so it can warn its users.
How SafeBrowz blocks this threat
SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.
- Layer 1 - Local detection: 60+ URL pattern signatures plus a 550+ brand database plus homograph and Punycode checks, all running inside the extension before the page renders. It flags lookalike download and distribution pages that impersonate a real AI brand on a non-official domain, the kind of page that lures you into installing a fake "AI assistant".
- Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus and ScamAdviser feeds plus 30+ scam TLD lists to flag distribution pages and ad-landing sites already reported as malicious.
- Layer 3 - AI deep scan (Premium): 100+ language content analysis catches a brand-new fake-tool landing page in seconds, including a fresh "free AI coding assistant" or "best ad blocker" page that copies a real brand's styling to push a download.
Honest scope: SafeBrowz is a browser scanner. It checks the URLs and pages you load, so it can flag the malicious download, distribution and lookalike pages and the phishing that lures these installs, before you reach them. What it cannot do is inspect the internal code of a plugin or extension you have already installed from a marketplace. The defenses for that are the human checks in this article: verify the publisher, audit the permissions, and rotate any exposed key. Use SafeBrowz to catch the bad page, and use those checks to vet the install itself.
Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.
Where browser-layer defense fits
Most of these installs do not start in the marketplace. They start with a page: a search ad for a "free AI coding assistant", a forum link to the "best ad blocker", a lookalike site that copies a real AI brand. That page is where a browser scanner earns its place. When a download or install page impersonates a known AI brand on a domain that is not the brand's own, a brand-aware scanner flags the impersonation before you click install. SafeBrowz is a free extension for Chrome, Firefox and Edge, plus a SafeBrowz Android app (Safari coming soon), that checks every URL before it renders against a 550+ brand database, with 60+ URL pattern signatures and optional AI deep scan. Pair it with the rule that beats this whole category: learn how to tell if a website is a scam, see how attackers abuse fake ChatGPT and Sora download ads, and never install an "AI" tool from an unverified publisher without checking the permissions first.
Install SafeBrowz free
Add the browser extension, or the SafeBrowz Android app, that flags malicious download, distribution and lookalike pages automatically, on every page, before it renders. Free forever, with optional Premium AI deep scan at $14.99 per year.
Add to Chrome
Add to Firefox
Add to Edge
Get it on Google Play
Frequently asked questions
Are the malicious AI coding plugins on the JetBrains Marketplace real?
Yes. In mid-June 2026, The Hacker News and BleepingComputer reported that researchers found roughly 15 malicious JetBrains Marketplace plugins posing as AI coding assistants, with names like CodeGPT AI Assistant and DeepSeek AI Assist, some with 25,000-plus installs each. They read the developer's OpenAI, DeepSeek and SiliconFlow API keys and send them in plaintext over unencrypted HTTP to attacker servers. The newest malicious plugin was published June 10, 2026, so the threat is current.
What is PromptSnatcher?
PromptSnatcher is the nickname for a campaign using two Chrome extensions disguised as ad blockers. Instead of blocking ads, they read your AI chat pages and silently capture your conversations with ChatGPT, Claude, Gemini, Copilot, Perplexity and Grok, exfiltrating both the prompts you type and the answers the model gives. The takeaway is that an ad blocker does not need permission to read your AI chats, so that permission is the red flag.
How do attackers steal my AI API key, and why does it matter?
A malicious IDE plugin reads the API key you stored so your tools can talk to a model, then forwards it to a server the attacker controls. With your key, an attacker can run their own workloads on your account and leave you the bill, or resell access to your key in bulk. Your provider sees the usage as yours. If you ever installed a suspect plugin, revoke the key in your provider dashboard, generate a new one, and check your billing for charges that are not yours.
How do I tell a fake AI plugin from a real one?
Check the publisher, not the name. The real assistant from an AI provider comes from that provider's own verified publisher listing, not a lookalike with a similar name. Install counts and reviews can be faked, so a recent publish date on a "popular" tool is a warning. Then audit the permissions: if a coding plugin wants your API key with no clear reason, or an extension wants to read all your sites and chats, treat it as suspicious and prefer the official first-party tool.
Can SafeBrowz block a malicious AI plugin?
SafeBrowz is a browser scanner, so it checks the URLs and pages you load. It flags the malicious download, distribution and lookalike pages and the phishing ads that lure these installs, before you reach them. It does not inspect the internal code of a plugin or extension you already installed from a marketplace, that is the marketplace's job and yours. Use SafeBrowz to catch the bad page, and verify the publisher plus audit the permissions to vet the install itself.
Related SafeBrowz coverage
- Fake ChatGPT and Sora download Google ad scam
- ChatGPT share-link malware on llmshare lookalikes
- Fake wallet browser extension scam
- Fake Chrome update phishing scam
- Fake CAPTCHA ClickFix attack explained
- Search-engine phishing through Google Ads
- Malvertising: how malicious ads spread malware
- AI scams 2026: the complete guide
- How to tell if a website is a scam
- I got scammed: what to do in 2026
Bottom line: The "AI" name on a plugin or extension proves nothing. The fake JetBrains assistants reported in June 2026 grab your OpenAI and DeepSeek API keys, and the PromptSnatcher ad blockers read your ChatGPT and Claude chats, all on the strength of an unverified publisher and broad permissions you waved through at install. Verify the publisher, audit the permissions, rotate any exposed key, and keep SafeBrowz on your browser so the fake download and lookalike pages that lure these installs get flagged before you ever click install.