Checkmarx Jenkins Plugin Sabotaged: Malicious Version Detected in Supply Chain Attack

Checkmarx disclosed a supply chain compromise targeting its Jenkins plugin, warning customers that an unauthorized version of its AST Scanner was uploaded to the Jenkins Marketplace over the weekend. The company confirmed the breach in a customer advisory on Saturday, May 9, stating it was actively working to remove the tampered plugin while urging immediate verification of installed versions.

The malicious version appeared as the most recently available release on the Jenkins Marketplace, creating a risk that automated updates could distribute the compromised code to CI/CD pipelines. Checkmarx identified version 2.0.13-829.vc72453fa_1c16—published December 17, 2025—as the verified safe release and warned that any version published as of May 9, 2026, should not be trusted. The plugin, which enables security scanning within Jenkins continuous integration workflows, was installed across several hundred controllers at the time of disclosure. Pull requests to remediate the listing were actioned Monday morning, though the tampered version remained accessible as of publication.

This incident marks at least the second intrusion linked to the TeamPCP threat actor targeting Checkmarx's distribution infrastructure. The recurring nature of the campaign signals heightened risk for organizations relying on automated plugin updates in developer workflows. Security teams are advised to audit their Jenkins environments immediately, verify plugin versions manually, and consider pinning trusted releases to prevent silent compromise of CI/CD pipelines.