Checkmarx Jenkins AST Plugin Compromised in Supply Chain Attack
Checkmarx is working to remove a malicious version of its Jenkins AST Scanner plugin after an unauthorized upload to the Jenkins Marketplace was found to contain an infostealer.
Checkmarx has confirmed that a malicious, modified version of its Jenkins Application Security Testing (AST) plugin was uploaded to the Jenkins Marketplace. The company is urging all users of the plugin to verify their installations and ensure they are using the legitimate version 2.0.13-829.vc72453fa_1c16, which was published on December 17, 2025, or earlier [BleepingComputer, The Hacker News].
The compromised plugin was found to contain an infostealer, posing a significant risk to developers and organizations using the tool for automated security testing. By injecting malicious code into the CI/CD pipeline, attackers could potentially exfiltrate sensitive credentials, source code, or other proprietary information from build environments [BleepingComputer].
Checkmarx has taken steps to address the supply chain compromise and is working with the Jenkins team to secure the marketplace. Organizations that may have installed or updated the plugin recently are advised to audit their Jenkins environments for signs of unauthorized activity and rotate any credentials that may have been exposed during the period the malicious plugin was active [The Hacker News].