Theregister
Checkmarx Jenkins Plugin Compromised by TeamPCP Malware Attack
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
Checkmarx reported a malicious version of its Jenkins AST plugin was uploaded to the Jenkins Marketplace on May 9, 2026. This backdoored plugin, which affects security scans in Jenkins CI pipelines, poses a significant risk as it can compromise multiple projects by exploiting trusted infrastructure. Users are advised to verify they are using the correct version (2.0.13-829.vc72453fa_1c16) released on December 17, 2025. The attack is attributed to TeamPCP, which has previously targeted Checkmarx's tools, including its GitHub Actions plugin and KICS static analysis tool. The malware, dubbed Shail-Hulud, has a CVSS score of 9.4, indicating a critical vulnerability. This incident marks the third compromise of Checkmarx's packages in recent months, raising concerns about the company's security practices. Checkmarx is actively working to remove the malicious plugin and has urged users to rotate their secrets immediately.
Key Points: • A malicious Jenkins plugin version was uploaded to the Jenkins Marketplace on May 9, 2026. • The compromised plugin can access sensitive data across multiple projects in Jenkins CI pipelines. • Users must verify their plugin version and rotate secrets to mitigate risks from the backdoored plugin.