Reliable CheckMarx Jenkins package deal compromised with infostealer

Checkmarx warned over the weekend {that a} rogue model of its Jenkins Software Safety Checking out (AST) plugin were revealed at the Jenkins Market.

The compromise was once claimed through the TeamPCP hacker workforce, which initiated a spree of supply-chain assaults that incorporated the Shai-Hulud campaigns on npm and the Trivy vulnerability scanner breach, ensuing within the supply of credential-stealing malware.

Jenkins is among the most generally used Steady Integration/Steady Deployment (CI/CD) automation answers for instrument development, checking out, code scanning, utility packaging, and deploying updates to servers.

The Checkmarx AST plugin at the Jenkins Market integrates safety scanning into computerized pipelines.

“We’re conscious {that a} changed model of the Checkmarx Jenkins AST plugin was once revealed to the Jenkins Market. We’re within the technique of publishing a brand new model of this plug-in,” Checkmarx alerted within the replace.

That is the 3rd incident in a chain of supply-chain assaults the applying safety checking out company has suffered since overdue March.

In line with offensive safety engineer Adnand Khan, TeamPCP won get admission to to Checkmarx’s GitHub repositories and backdoored the Jenkins AST plugin to ship credential-stealing malware.

An organization spokesperson showed to BleepingComputer that the danger actor received credentials to the repositories from the Trivy supply-chain assault in March.

A message the hackers left within the about segment reads: “Checkmarx fails to rotate secrets and techniques once more. With love – TeamPCP.”

“On account of that get admission to, the attackers have been ready to engage with Checkmarx’s GitHub setting and due to this fact submit malicious code to positive artifacts,” the corporate spokesperson mentioned.

The use of credentials stolen within the Trivy assault, the hackers revealed changed variations of more than one developer gear on GitHub, Docker, and VSCode that incorporated info-stealing code.

The danger actor maintained get admission to for a minimum of a month after which revealed a malicious model of the corporate’s KICS research device on Docker, Open VSX, and VSCode, which harvested knowledge from developer environments.

In overdue April, the corporate showed that the LAPSUS$ danger workforce leaked knowledge stolen from its non-public GitHub repository.

On Saturday, Might 9, a rogue model (2026.5.09 ) of the Checkmarx Jenkins AST plugin was once uploaded to repo.jenkins-ci.org. The replace was once outdoor the plugin’s liberate pipeline and incorporated malicious code.

Except no longer following the respectable date taste scheme, the malicious plugin lacked a git tag and a GitHub liberate.

Checkmarx suggested customers to be sure that they’re the use of model 2.0.13-829.vc72453fa_1c16 of the plugin revealed on December 17, 2025, or an older one.

Even supposing Checkmarx hasn’t shared any information about what the rogue Jenkins plugin does on methods, those that have downloaded the malicious model will have to think that their credentials are compromised, rotate all secrets and techniques, and examine for lateral motion or endurance.

Checkmarx says that its GitHub repositories are remoted from its buyer manufacturing setting, and no buyer knowledge is saved within the GitHub repository.

“We have now communicated with our shoppers during this procedure and can proceed to supply related updates as additional info turns into to be had,” the cybersecurity corporate stated, including that consumers can in finding suggestions at the Fortify Portal or within the Safety Updates sections.

Checkmarx has revealed a suite of malicious artifacts that defenders can use as indicator of compromise (IoCs) on their envirronments.