Checkmarx Jenkins Plugin Compromised by TeamPCP Malware Attack

Checkmarx Jenkins Plugin Compromised by TeamPCP Malware Attack

First seen 11 May 2026, 12:33 UTC CheckmarxTheregisterThehackernewsGround.NewsBleepingcomputer+9 90% similarity 72.8

Article Content

Browse articles
ThreatCluster

Checkmarx reported a malicious version of its Jenkins AST plugin was uploaded to the Jenkins Marketplace on May 9, 2026. This backdoored plugin, which affects security scans in Jenkins CI pipelines, poses a significant risk as it can compromise multiple projects by exploiting trusted infrastructure. Users are advised to verify they are using the correct version (2.0.13-829.vc72453fa_1c16) released on December 17, 2025. The attack is attributed to TeamPCP, which has previously targeted Checkmarx's tools, including its GitHub Actions plugin and KICS static analysis tool. The malware, dubbed Shail-Hulud, has a CVSS score of 9.4, indicating a critical vulnerability. This incident marks the third compromise of Checkmarx's packages in recent months, raising concerns about the company's security practices. Checkmarx is actively working to remove the malicious plugin and has urged users to rotate their secrets immediately.

Key Points: • A malicious Jenkins plugin version was uploaded to the Jenkins Marketplace on May 9, 2026. • The compromised plugin can access sensitive data across multiple projects in Jenkins CI pipelines. • Users must verify their plugin version and rotate secrets to mitigate risks from the backdoored plugin.

ThreatCluster AI

Timeline

2026-05-09
Malicious Checkmarx Jenkins plugin uploaded
A modified version of the Checkmarx Jenkins AST plugin was published, compromising security for users.
The Register
2026-05-10
Checkmarx issues security alert
Checkmarx confirmed the unauthorized upload and advised users to check for the correct plugin version.
Checkmarx
2026-05-11
Security experts warn of malware impact
The malware, named Shail-Hulud, has a CVSS score of 9.4 and poses a critical risk to Jenkins users.
The Hacker News

Community

Browse all →