CheckMarx Jenkins package compromised by infostealer
▼ Summary
– A rogue version of Checkmarx’s Jenkins AST plugin was published on the Jenkins Marketplace, claimed by the TeamPCP hacker group as part of a supply-chain attack spree.
– TeamPCP gained access to Checkmarx’s GitHub repositories using credentials stolen from a prior Trivy vulnerability scanner breach, enabling them to publish malicious code.
– The malicious plugin version (2026.5.09) was uploaded outside the official release pipeline, lacking a git tag and GitHub release, and delivered credential-stealing malware.
– Checkmarx advised users to use plugin version 2.0.13-829.vc72453fa_1c16 or older, and warned that those who downloaded the rogue version should assume credentials are compromised.
– Checkmarx stated its GitHub repositories are isolated from customer production environments, with no customer data stored there, and has published indicators of compromise for defenders.
Over the weekend, Checkmarx issued a warning about a malicious version of its Jenkins Application Security Testing (AST) plugin being uploaded to the Jenkins Marketplace. The breach is attributed to the hacker group TeamPCP, which has been on a spree of supply-chain attacks that previously included the Shai-Hulud campaigns on npm and the Trivy vulnerability scanner compromise. These earlier attacks also delivered credential-stealing malware.
Jenkins is a dominant CI/CD automation platform used for building, testing, scanning code, packaging applications, and deploying software updates. The Checkmarx AST plugin integrates security scanning directly into these automated pipelines. The company confirmed that a rogue version of this plugin was published, and they are now working to release a clean update.
This incident marks the third supply-chain attack Checkmarx has faced since late March. According to offensive security engineer Adnan Khan, TeamPCP infiltrated Checkmarx’s GitHub repositories and backdoored the Jenkins AST plugin to deploy info-stealing malware. A company spokesperson told BleepingComputer that the attacker obtained repository credentials from the Trivy supply-chain breach in March.
A message left by the hackers in the plugin’s about section reads: “Checkmarx fails to rotate secrets again. With love – TeamPCP.” The attackers maintained access for at least a month, publishing malicious versions of multiple developer tools on GitHub, Docker, and VSCode that harvested data from developer environments. In late April, Checkmarx confirmed that the LAPSUS$ threat group had leaked data stolen from its private GitHub repository.
On Saturday, May 9, the malicious version 2026.5.09 of the Jenkins AST plugin appeared on repo.jenkins-ci.org. This update was outside the normal release pipeline, lacked a git tag and a GitHub release, and did not follow the official date naming scheme. Checkmarx advises users to ensure they are running version 2.0.13-829.vc72453fa_1c16 (published December 17, 2025) or an older one.
Although Checkmarx has not detailed what the rogue plugin does, anyone who downloaded it should assume credentials are compromised, rotate all secrets immediately, and check for lateral movement or persistence. The company states its GitHub repositories are isolated from customer production environments, and no customer data is stored there.
“We have communicated with our customers throughout this process and will continue to provide relevant updates,” Checkmarx said, pointing users to the Support Portal and Security Updates sections for recommendations. The company has also published a set of malicious artifacts as indicators of compromise (IoCs) for defenders to use.
(Source: BleepingComputer)
