Checkmarx Jenkins Plugin Infostealer Breach: TeamPCP Maintained Access for Over a Month

Checkmarx, a widely used code-security platform, confirmed that its official Jenkins plugin was compromised with an infostealer, in an attack the company attributed to the threat actor TeamPCP. The incident marks a recurring supply-chain compromise, raising fresh scrutiny over the security of developer-tool ecosystems that enterprises rely on to safeguard their software pipelines.

The breach was not a fleeting intrusion. According to Checkmarx's own disclosure and supporting technical analysis, the attacker sustained access inside the plugin for more than a month. investigators assessed that the adversary leveraged stolen credentials harvested from a prior, separate attack to gain initial access, rather than exploiting a fresh vulnerability. In at least one exchange, the attacker openly taunted Checkmarx, pointing out that the company had failed to rotate compromised secrets—a failure that enabled the extended dwell time inside the development toolchain.

The implications reach beyond Checkmarx's customer base. Jenkins is one of the most widely deployed CI/CD automation servers in the industry, and a compromised plugin distributed through official channels creates a direct vector into software build environments, source repositories, and deployment pipelines. Security teams using Checkmarx's Jenkins integration are now urged to audit plugin versions, rotate any stored credentials, and review access logs for anomalous behavior dating back to the pre-detection window. The incident underscores a persistent weakness in the open-source and commercial tooling supply chain: trust placed in official plugin repositories, combined with insufficient secrets-rotation hygiene, can turn a single credential compromise into a durable foothold across hundreds of downstream environments.