Checkmarx Jenkins Plugin Spoofed on Marketplace, Infostealer Variant Distributed to Developers

Checkmarx has confirmed that a malicious version of its Jenkins Application Security Testing (AST) plugin was published on the official Jenkins Marketplace, exposing software developers who downloaded the rogue package to infostealer malware. The company issued a warning over the weekend after identifying the fraudulent listing, marking this a confirmed supply chain threat targeting CI/CD environments widely used in enterprise software development.

The counterfeit plugin was designed to mimic the legitimate Checkmarx AST offering, leveraging the trust associated with the official marketplace to deceive developers into installation. Once deployed, the malicious package would harvest sensitive information from compromised systems, potentially including credentials, access tokens, and environment variables critical to software build pipelines. Jenkins, as an open-source automation server, serves as a foundational tool for continuous integration and delivery across countless organizations, making this marketplace compromise a high-value attack vector for threat actors seeking broad access to corporate codebases and infrastructure.

Checkmarx has urged any users who installed the fraudulent plugin to immediately audit their environments, rotate potentially exposed credentials, and review system logs for suspicious activity. The incident underscores persistent vulnerabilities in software marketplace ecosystems, where attackers exploit the trusted distribution channels that developers rely on for rapid tooling deployment. Organizations integrating third-party plugins into their development pipelines face ongoing pressure to verify package authenticity beyond marketplace listings, implement runtime monitoring, and maintain strict least-privilege access controls within their CI/CD infrastructure.