CheckMarx Jenkins Plugin Compromised with Infostealer
Checkmarx warned over the weekend that a rogue version of its Jenkins Application Security Testing (AST) plugin had been published on the Jenkins Marketplace. The compromise was claimed by the TeamPCP hacker group, which initiated a spree of supply-chain attacks that included the Shai-Hulud campaigns on npm and the Trivy vulnerability scanner breach, resulting in the delivery of credential-stealing malware.
Jenkins and the CheckMarx AST Plugin
Jenkins is one of the most widely used Continuous Integration/Continuous Deployment (CI/CD) automation solutions for software building, testing, code scanning, application packaging, and deploying updates to servers. The Checkmarx AST plugin on the Jenkins Marketplace integrates security scanning into automated pipelines.
“We are aware that a modified version of the Checkmarx Jenkins AST plugin was published to the Jenkins Marketplace. We are in the process of publishing a new version of this plug-in,” Checkmarx alerted in the update.
Series of Supply-Chain Attacks
This is the third incident in a series of supply-chain attacks the application security testing firm has suffered since late March. According to offensive security engineer Adnand Khan, TeamPCP gained access to Checkmarx's GitHub repositories and backdoored the Jenkins AST plugin to deliver credential-stealing malware.
A company spokesperson confirmed to BleepingComputer that the threat actor obtained credentials to the repositories from the Trivy supply-chain attack in March. A message the hackers left in the about section reads: "Checkmarx fails to rotate secrets again. With love - TeamPCP."
Access to Checkmarx's GitHub Repositories
TeamPCP had access to Checkmarx's GitHub repositories, which allowed them to interact with Checkmarx’s GitHub environment and subsequently publish malicious code to certain artifacts. Using credentials stolen in the Trivy attack, the hackers published modified versions of multiple developer tools on GitHub, Docker, and VSCode that included info-stealing code.
Malicious Version of the CheckMarx Jenkins AST Plugin
On Saturday, May 9, a rogue version (2026.5.09) of the Checkmarx Jenkins AST plugin was uploaded to repo.jenkins-ci.org. The update was outside the plugin's release pipeline and included malicious code. Apart from not following the official date style scheme, the malicious plugin lacked a git tag and a GitHub release.
Checkmarx advised users to ensure that they are using version 2.0.13-829.vc72453fa_1c16 of the plugin published on December 17, 2025, or an older one. Although Checkmarx hasn’t shared any details about what the rogue Jenkins plugin does on systems, those who have downloaded the malicious version should assume that their credentials are compromised, rotate all secrets, and investigate for lateral movement or persistence.
Customer Data and Recommendations
Checkmarx says that its GitHub repositories are isolated from its customer production environment, and no customer data is stored in the GitHub repository. "We have communicated with our customers throughout this process and will continue to provide relevant updates as more information becomes available," the cybersecurity company said, adding that customers can find recommendations on the Support Portal or in the Security Updates sections.
Checkmarx has published a set of malicious artifacts that defenders can use as indicators of compromise (IoCs) on their environments.
Related Incidents
The incident is part of a wave of supply-chain attacks that have affected several companies, including the compromise of the Bitwarden CLI npm package, the DAEMON Tools trojanized in a supply-chain attack, and the backdoored PyTorch Lightning package.
A wave of new exploits is coming, with 99% of what Mythos found still unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes.
Source: BleepingComputer