Back

Checkmarx Jenkins Plugin Compromised by TeamPCP Malware Attack

Severity: High (Score: 72.8)

Sources: checkmarx.com, plugins.jenkins.io, Ground.News, socradar.io, Theregister

Summary

Checkmarx reported a malicious version of its Jenkins AST plugin was uploaded to the Jenkins Marketplace on May 9, 2026. This backdoored plugin, which affects security scans in Jenkins CI pipelines, poses a significant risk as it can compromise multiple projects by exploiting trusted infrastructure. Users are advised to verify they are using the correct version (2.0.13-829.vc72453fa_1c16) released on December 17, 2025. The attack is attributed to TeamPCP, which has previously targeted Checkmarx's tools, including its GitHub Actions plugin and KICS static analysis tool. The malware, dubbed Shail-Hulud, has a CVSS score of 9.4, indicating a critical vulnerability. This incident marks the third compromise of Checkmarx's packages in recent months, raising concerns about the company's security practices. Checkmarx is actively working to remove the malicious plugin and has urged users to rotate their secrets immediately. Key Points: • A malicious Jenkins plugin version was uploaded to the Jenkins Marketplace on May 9, 2026. • The compromised plugin can access sensitive data across multiple projects in Jenkins CI pipelines. • Users must verify their plugin version and rotate secrets to mitigate risks from the backdoored plugin.

Key Entities

  • TeamPCP (apt_group)
  • Data Breach (attack_type)
  • Malware (attack_type)
  • Supply Chain Attack (attack_type)
  • KICS Supply Chain Attack (campaign)
  • TeamPCP Attack (campaign)
  • TeamPCP Supply Chain Attacks (campaign)
  • Trivy Supply Chain Attack (campaign)
  • Shai-hulud (malware)
  • Mini Shai-Hulud (malware)
  • Shai-hulud 2.0 (malware)
  • Checkmarx (company)
  • SAP (company)
  • Open VSX (company)
  • OpenVSX (company)
  • KICS (tool)
  • Docker (tool)
  • GitHub Actions (tool)
  • Checkmarx AST Plugin (tool)
  • Checkmarx AST Scanner Plugin (tool)
  • repo.jenkins-ci.org (domain)
  • support.checkmarx.com (domain)
  • T1021 - Remote Services (mitre_attack)
  • T1078 - Valid Accounts (mitre_attack)
  • T1195 - Supply Chain Compromise (mitre_attack)
  • T1567 - Exfiltration Over Web Service (mitre_attack)
  • Checkmarx One (platform)
  • CxSAST (platform)
  • Docker Hub (platform)
  • GitHub (platform)
  • Jenkins (platform)
  • 744c9d61b66bcd2bb5474d9afeee6c00bb7e0cd32535781da188b80eb59383e0 (sha256)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed