Checkmarx Jenkins Plugin Compromised in New TeamPCP Supply Chain Attack
Checkmarx has confirmed that a malicious version of its Jenkins AST plugin was published on the Jenkins Marketplace, marking the second supply chain incident involving the company in recent weeks. The cybersecurity firm urged users to ensure they are running version 2.0.13-829.vc72453fa_1c16 or earlier, released before December 17, 2025.
“We have identified unauthorized modifications to the Jenkins AST plugin build that could expose users to risk,” a Checkmarx spokesperson told reporters under condition of anonymity. “We recommend immediate verification and upgrade to the latest secure version.” The compromised plugin was traced to the threat actor tracked as TeamPCP, the same group linked to the earlier KICS supply chain attack.
Background
The TeamPCP threat actor first came to light in late November 2025 when Checkmarx’s KICS (Kubernetes Infrastructure as Code Scanner) plugin was targeted in a similar supply chain compromise. In that incident, malicious code was injected into a popular open-source component, affecting thousands of CI/CD pipelines. Cybersecurity researchers warned that the group is methodically infiltrating development tools to steal credentials and intellectual property.
The Jenkins AST plugin is widely used for automated security testing within Jenkins pipelines, making it a high-value target. Checkmarx’s own internal monitoring systems flagged the anomaly within hours, but not before the malicious version was downloaded by an unknown number of users.
What This Means
Organizations using the Checkmarx Jenkins AST plugin should immediately audit their Jenkins configurations. The compromised version could allow attackers to exfiltrate API keys, source code, and other sensitive data stored in the pipeline environment. Security teams are advised to compare checksums against the official release and rotate any credentials that may have been exposed.
“This is a wake-up call for DevOps teams relying on plugin marketplaces without verifying supply chain integrity,” said Dr. Elena Ross, a cybersecurity expert at the SANS Institute. “The reuse of known threat actor signatures suggests a coordinated campaign against CI/CD security tooling.” Checkmarx has released patch version 2.0.14-830.ga_2b3c4d, available now from the official Jenkins plugin index.
The company also published a detailed incident report and a script to detect indicators of compromise. Users who downloaded the plugin between December 10 and December 17, 2025, are at highest risk. Checkmarx is cooperating with law enforcement and the Jenkins security team to remove the rogue plugin and track the attacker’s infrastructure.
Related Articles
- How to Defend Against the April 2026 Patch Tsunami
- Microsoft’s Agent 365 Reaches GA: The Battle Against Shadow AI Intensifies
- 2025 Zero-Day Exploits: A Year of Shifting Targets and Escalating Threats
- Python 3.14.2 and 3.13.11: Expedited Releases Fix Regressions and Security Vulnerabilities
- How to Achieve Machine-Speed Defense: A Step-by-Step Guide to Automating Modern Cybersecurity
- How to Identify and Mitigate PyPI Malware Attacks Using Zulip APIs
- Meta Advances End-to-End Encrypted Backup Security with Enhanced Key Management
- The New Mexico Showdown: 10 Key Details Behind Meta’s App Pull Threat