Checkmarx Jenkins Plugin Compromised in US Supply Chain Attack

A malicious version of Checkmarx's Jenkins AST plugin was uploaded to the Jenkins Marketplace late last week ^[1].

This breach represents a critical supply-chain vulnerability because it targets the tools developers trust to secure their code. By compromising a security plugin, attackers can gain deep access to internal environments and steal sensitive authentication data.

The attack targeted the official plugin repository for Jenkins, where the malicious version of the AST plugin was hosted ^[1], ^[2]. Reports said the hacker group TeamPCP was responsible for the compromise ^[1]. The primary goal of the operation was to harvest developer credentials, including cloud-service keys and GitHub tokens ^[1], ^[3].

This incident is part of a broader pattern of instability for the software security company. Checkmarx has faced multiple supply-chain attacks over the last six weeks ^[3]. In a separate span of 40 days, at least one supply-chain attack delivered malware to customers on two different occasions ^[3].

While the Jenkins AST plugin is the current focus, other reports said Checkmarx's KICS tool was also compromised in a separate supply-chain incident ^[4]. These overlapping attacks suggest a sustained effort by threat actors to undermine the company's security infrastructure.

Security professionals are urged to audit their Jenkins installations and rotate any credentials that may have been exposed through the compromised plugin. The use of official marketplaces does not guarantee safety when the vendor's own distribution pipeline is breached ^[2].