Checkmarx warned that a rogue version of its Jenkins Application Security Testing plugin was published on the Jenkins Marketplace, marking the third supply-chain incident the company has suffered since late March. The TeamPCP hacker group claimed responsibility, gaining access to Checkmarx's GitHub repositories using credentials stolen during the Trivy supply-chain attack and leaving a message criticizing the company's secret rotation practices. The malicious plugin version 2026.5.09 deviated from the official release date scheme and lacked proper git tags or GitHub releases.
The threat actor maintained access for at least a month, previously publishing compromised versions of multiple developer tools on Docker and VSCode that included info-stealing code. In late April, Checkmarx confirmed that the LAPSUS$ group leaked data stolen from its private GitHub repository. The rogue Jenkins plugin was uploaded on May 9 outside the official release pipeline and included malicious code.
Checkmarx advised users to ensure they are running version 2.0.13-829.vc72453fa_1c16 published on December 17, 2025, or an older version. Customers who downloaded the malicious version should assume credentials are compromised, rotate all secrets, and investigate for lateral movement or persistence. Checkmarx stated its GitHub repositories are isolated from customer production environments, and no customer data was stored in the compromised repositories. The company has published indicators of compromise to help defenders detect malicious activity on their systems.
Read more...