Checkmarx Jenkins Plugin Compromised by TeamPCP in Supply Chain Attack
Cybersecurity firm Checkmarx is addressing a significant supply chain attack after detecting an unauthorized, malicious version of its Jenkins AST Scanner plugin uploaded to the Jenkins Marketplace. The incident, discovered on Saturday, May 9, 2026, involves the threat actor group TeamPCP, which has targeted Checkmarx for the third time in three months. The compromised plugin, infected with Mini Shai-Hulud malware, poses severe risks to users by potentially exposing source code, environment variables, and secrets within CI/CD pipelines. Checkmarx urged customers to verify they are running the trusted version 2.0.13-829.vc72453fa_1c16 and avoid any versions published on or after May 9. The attackers defaced Checkmarx’s GitHub page, renaming it to highlight the breach and alleging failed secret rotation. This event underscores the ongoing vulnerability of development tools to sophisticated supply chain intrusions, following previous compromises of Checkmarx’s GitHub Actions plugin and KICS tool. Security experts warn that the trust model inherent in such plugins allows backdoors to propagate deeply into infrastructure, affecting hundreds of controllers and potentially thousands of downstream projects.
Wire timeline
Checkmarx Jenkins Plugin Compromised by TeamPCP in Supply Chain Attack
Cybersecurity firm Checkmarx is addressing a significant supply chain attack after detecting an unauthorized, malicious version of its Jenkins AST Scanner plugin uploaded to the Jenkins Marketplace. The incident, discovered on Saturday, May 9, 2026, involves the threat actor group TeamPCP, which has targeted Checkmarx for the third time in three months. The compromised plugin, infected with Mini Shai-Hulud malware, poses severe risks to users by potentially exposing source code, environment variables, and secrets within CI/CD pipelines. Checkmarx urged customers to verify they are running the trusted version 2.0.13-829.vc72453fa_1c16 and avoid any versions published on or after May 9. The attackers defaced Checkmarx’s GitHub page, renaming it to highlight the breach and alleging failed secret rotation. This event underscores the ongoing vulnerability of development tools to sophisticated supply chain intrusions, following previous compromises of Checkmarx’s GitHub Actions plugin and KICS tool. Security experts warn that the trust model inherent in such plugins allows backdoors to propagate deeply into infrastructure, affecting hundreds of controllers and potentially thousands of downstream projects.
www.theregister.com - Articles