Checkmarx Jenkins Plugin Sabotaged Again — Malicious Version Hits Marketplace After TeamPCP Intrusion

Checkmarx is battling a second supply-chain breach after detecting a compromised version of its Jenkins AST security plugin uploaded to the Jenkins Marketplace. The incident, discovered over the weekend of May 9, 2026, follows an earlier intrusion attributed to the TeamPCP threat group, raising fresh concerns about the security of the code scanning vendor's software distribution infrastructure.

The unauthorized upload rendered versions published as of May 9, 2026, untrustworthy. Checkmarx issued an emergency advisory the same day, directing customers to immediately verify they are running version 2.0.13-829.vc72453fa_1c16 — the safe release published December 17, 2025. Despite the warning, the malicious version remained available on the Jenkins Marketplace at time of publication, installed across several hundred controllers. Pull requests to address the issue were submitted Monday morning, though the compromised build still appeared as the most recent version available. Checkmarx confirmed it is working to publish a corrected release and urged all users to audit their installations.

The repeat targeting of Checkmarx's plugin ecosystem signals a persistent threat actor with sustained interest in the company's distribution channels. Security teams using Checkmarx's AST Scanner within Jenkins CI pipelines should treat any version published around May 9, 2026, as potentially hostile and immediately confirm their deployment status. The incident underscores the growing risk of trusted update mechanisms being weaponized against development toolchains, a tactic increasingly favored by threat groups seeking broad downstream access.