VYPR
breachPublished May 11, 2026· Updated May 18, 2026· 5 sources

Checkmarx Jenkins Plugin Compromised in Ongoing TeamPCP Supply-Chain Campaign

A malicious, backdoored version of the Checkmarx Jenkins AST plugin was uploaded to the Jenkins Marketplace by the threat group TeamPCP, marking the third supply-chain compromise of the firm in as many months.

A malicious, backdoored version of the Checkmarx Jenkins Application Security Testing (AST) plugin was discovered on the Jenkins Marketplace over the weekend of May 9, 2026. The unauthorized update, identified as version 2026.5.09, was uploaded outside of the company's official release pipeline and lacked standard verification markers like git tags or GitHub releases BleepingComputer.

The compromise is the latest in a series of supply-chain attacks targeting Checkmarx, attributed to the threat actor group known as TeamPCP. According to security researcher Adnan Khan and reports from SOCRadar, the attackers gained unauthorized access to Checkmarx’s GitHub repositories, where they defaced the project page—renaming it to "Checkmarx-Fully-Hacked-by-TeamPCP"—and left a message taunting the company for failing to rotate its secrets BleepingComputer The Hacker News The Register.

The malicious plugin is designed to deliver credential-stealing malware. Because the plugin is used to integrate security scanning into CI/CD pipelines, its compromise is particularly dangerous; it grants attackers a foothold within trusted infrastructure, providing potential access to source code, environment variables, API tokens, and other sensitive secrets used during automated build and deployment processes The Register.

Checkmarx confirmed that the attackers utilized credentials originally obtained during a March 2026 supply-chain attack involving the Trivy vulnerability scanner. The persistence of these intrusions suggests that the threat actors either retained an unidentified foothold within the company's systems or that previous remediation efforts were insufficient to fully secure the environment BleepingComputer The Hacker News The Register.

In response, Checkmarx has urged all users to verify they are running version 2.0.13-829.vc72453fa_1c16, which was published on December 17, 2025. The company has since released a clean, updated version of the plugin (2.0.13-848.v76e89de8a_053) on both GitHub and the Jenkins Marketplace to address the incident The Hacker News SecurityWeek. Users who downloaded the rogue version are advised to assume their credentials have been compromised, perform a full rotation of all secrets, and conduct a thorough investigation for signs of lateral movement or persistence BleepingComputer.

This incident marks the third time in three months that Checkmarx has been targeted by TeamPCP, following previous compromises involving the company's KICS analysis tool and various VS Code extensions BleepingComputer The Register. The recurring nature of these attacks highlights the significant risks posed by supply-chain vulnerabilities, where attackers exploit the inherent trust placed in developer tools to propagate malware across enterprise environments. Security analysts continue to monitor the situation, noting that such breaches underscore the critical need for rigorous secret management and the continuous validation of software supply-chain integrity The Register.

Checkmarx confirmed on May 11 that its Jenkins AST plugin version 2026.5.09 was trojanized, with an exposure window from May 9 to May 10. This marks the third TeamPCP compromise of Checkmarx in three months, and the malicious plugin was installed by several hundred Jenkins controllers. Separately, the Mini Shai-Hulud worm poisoned approximately 170 npm and PyPI packages, including 42 @tanstack packages, with combined downloads exceeding 500 million. The worm is the first documented npm malware with valid SLSA Build Level 3 provenance and includes a disk-wipe payload targeting Israeli and Iranian locales, tracked as CVE-2026-45321 (CVSS 9.6).

Synthesized by Vypr AI
Checkmarx Jenkins Plugin Compromised in Ongoing TeamPCP Supply-Chain Campaign · VYPR