Malicious Checkmarx Jenkins Plugin Published to Jenkins Marketplace in Supply Chain Attack

A compromised version of the Checkmarx Jenkins AST Plugin was published to the Jenkins Marketplace late last week, security researchers confirmed. The incident marks another addition to a growing list of supply chain attacks targeting open-source development ecosystems and software build pipelines. While details about the scope of compromise and the malicious payload remain limited, the exposure of a trusted CI/CD security tool as an attack vector signals a significant escalation in software supply chain threats.

The Jenkins Marketplace serves as a primary distribution channel for plugins used in continuous integration and delivery workflows across thousands of organizations. Security teams rely on these plugins to automate code scanning, vulnerability detection, and deployment pipelines. The compromise of a plugin embedded in these workflows potentially grants attackers access to build environments, source code repositories, and artifact distribution channels. Checkmarx, a company specializing in application security testing, develops the AST Plugin to integrate static analysis capabilities directly into Jenkins pipelines.

Supply chain attacks against development infrastructure have accelerated in recent years, with threat actors increasingly targeting upstream code repositories and package registries. Security researchers are examining the malicious plugin version to determine its functionality, the number of affected users, and whether the attack targeted specific organizations or maintained broad reach. Organizations using the Checkmarx Jenkins AST Plugin are advised to verify their installed versions against official distribution channels and monitor for anomalous behavior within their build environments. The investigation is ongoing, and further details are expected as security firms and Checkmarx publish technical analysis of the compromised package.