Fast Facts
- A maliciously altered version of the Jenkins AST plugin was published, exploiting supply chain vulnerabilities to target users of Checkmarx Jenkins plugin.
- The cybercrime group TeamPCP has repeatedly compromised Checkmarx-related assets, including GitHub repositories and Docker images, to deploy credential-stealing malware.
- Persistent adversary access, indicated by defaced repositories and unrotated credentials, suggests ongoing, targeted exploitation of supply chain security gaps.
Threat, Attack Techniques, and Targets
Checkmarx has confirmed that a modified version of its Jenkins AST plugin was posted to the Jenkins Marketplace. This malicious plugin was published after an unauthorized access to Checkmarx’s GitHub repository. The compromised version was identified as 2.0.13-829.vc72453fa_1c16, released on December 17, 2025. The attacker’s goal was to distribute malicious code through an official plugin, putting users at risk. This event is connected to activity by TeamPCP, a cybercriminal group known for targeting the software supply chain. Previously, TeamPCP was linked to breaching various developer tools such as Docker images, VS Code extensions, and GitHub workflows. Their goal was to push malware that steals credentials and secrets from developers.
The targets are mainly organizations and developers using Checkmarx Jenkins AST plugin and other related DevSecOps tools. These tools are used to automate code security testing and analysis. The group is exploiting the trust in these tools to deliver malware quickly. These attacks highlight the threat of supply chain compromises, especially through trusted software components.
Impact, Security Implications, and Remediation Guidance
The attack can have serious consequences. The malicious plugin could enable attackers to run malicious code within victim environments. This may lead to sensitive data theft, unauthorized access, or further malware infections. The breaches show that cybercriminal groups like TeamPCP actively watch for vulnerabilities and attempt to re-enter systems even after initial mitigation efforts.
Since Checkmarx is still updating its plugin, organizations should be cautious. Security implications include the risk of malware spread, credential theft, and potential disruption of development processes. Companies should verify that they are using version 2.0.13-829 or earlier of the plugin, as later versions have been released to fix the issue. Because detailed remediation steps are not included in the report, organizations are advised to obtain guidance from Checkmarx or relevant cybersecurity authorities. They should consider reviewing their supply chain security and ensuring that all plugins and software are from trusted sources and are up to date.
Stay Ahead with the Latest Tech Trends
Explore the future of technology with our detailed insights on Artificial Intelligence.
Discover archived knowledge and digital history on the Internet Archive.
ThreatIntel-V1
