TeamPCP Injects Compromised Version Into Checkmarx Jenkins AST Plugin on Jenkins Marketplace

Checkmarx has confirmed a supply chain compromise targeting its Jenkins AST plugin, with a malicious version successfully published to the Jenkins Marketplace by an actor identified as TeamPCP. The incident follows a separate supply chain attack on Checkmarx's KICS (Keeping Infrastructure as Code Secure) tool just weeks earlier, signaling a pattern of repeated targeting against the company's development ecosystem.

The cybersecurity firm is urging all users to immediately verify their plugin installations. According to Checkmarx's official statement, the safe version is 2.0.13-829.vc72453fa_1c16, which was published on December 17, 2025. Any users running an earlier or alternate version should treat their environment as potentially compromised and initiate incident response procedures. The company has not disclosed the full scope of what the modified plugin was designed to execute, but supply chain attacks of this nature typically aim to harvest credentials, exfiltrate source code, or establish persistent access within CI/CD pipelines.

The Jenkins Marketplace serves as a primary distribution channel for development tools used across thousands of organizations, meaning a successful injection can propagate rapidly through automated build systems. This is at least the second confirmed supply chain incident involving Checkmarx infrastructure within a short timeframe, raising questions about the security controls protecting their release processes. Security teams using Checkmarx tools are advised to audit their CI/CD environments, rotate any credentials present in build pipelines, and monitor for anomalous outbound traffic originating from Jenkins nodes.