Checkmarx said a modified version of its Jenkins AST plugin was published to the Jenkins Marketplace, and told users to stay on version 2.0.13-829.vc72453fa_1c16 or earlier if they use the plugin. The company has since released version 2.0.13-848.v76e89de8a_053, but said it was still in the process of publishing a new release.
KEY FACTS
- Plugin The affected component is the Jenkins AST plugin used by Checkmarx customers.
- Warning Users were told to ensure they are on version 2.0.13-829.vc72453fa_1c16 or earlier from Dec. 17, 2025.
- New release A newer build, 2.0.13-848.v76e89de8a_053, is now posted on GitHub and the Jenkins Marketplace.
- Campaign The incident is part of a broader series of intrusions linked to TeamPCP since March 2026.
A company security update said the malicious plugin version was published to the marketplace, but did not say how it got there. The disclosure said the campaign was the latest attack tied to TeamPCP, a group that has previously been linked to compromises involving a KICS Docker image, two VS Code extensions and a GitHub Actions workflow.
Security researcher Adnan Khan and SOCRadar said the group appeared to have gained unauthorized access to the plugin’s GitHub repository and renamed it with a defaced title. The repository description was also changed to accuse the company of failing to rotate secrets.
SOCRadar said the quick return suggested either incomplete remediation or that the group retained access after the earlier incident. The report also noted that a second Checkmarx incident so soon could indicate the attackers were watching for new entry points.
WHY IT MATTERS
The incident highlights how attackers can exploit trust in software supply chains to reach developers through widely used tools. It also shows the operational risk that remains if credentials are not fully rotated or if all access paths are not removed after a breach.